In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.
Delivering PowerShell scripts to Windows 10 devices using Microsoft Endpoint Manager is one of my favorite features but what do you do if the delivery of the script fails? There are two ways of checking for troubleshooting purposes
Using the Registry
By browsing the following location you able to see all the PowerShell script that has been applied to your Windows 10 device. With this, you will see Result/ResultDetails which provide if the execution was successful and any error message if not successful.
I have been recently running a number of PowerShell scripts where I required to elevate the session to Administrator. Ideally I didnt want to have to provide logon details everytime, so the following script removed the need to provide Admin credentials.
# Original Script located at:
# Get the ID and security principal of the current user account
# Get the security principal for the Administrator role
# Check to see if we are currently running "as Administrator"
# We are running "as Administrator" - so change the title and background color to indicate this
$Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)"
$Host.UI.RawUI.BackgroundColor = "DarkBlue"
# We are not running "as Administrator" - so relaunch as administrator
# Create a new process object that starts PowerShell
$newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";
# Specify the current script path and name as a parameter
$newProcess.Arguments = $myInvocation.MyCommand.Definition;
# Indicate that the process should be elevated
$newProcess.Verb = "runas";
# Start the new process
In recent times I have had to rebuild a number of my Windows 10 devices and reinstall my favourite scripts, applications and tweaks. Which got me thinking there must be a better way of rebuilding my devices, so heres my approach.
Azure Blob Storage
After transitioning from a very UC focused role I have been learning an appreciation for the whole M365 stack and how Microsoft Azure can work hand in hand with potential problems or scenarios. Microsoft have done a very good job in providing a platform to enable businesses and organisations to leverage their subscriptions in more power ways, so with that being said lots looks at Azure Blob Storage.
First of all we need to log into the Azure Portal as this is where all the required work will now take place. Once logged in you will need to search for Storage account as this is where all files will need stored. In my case, I have already created a Storage Account but you can complete this by using the Add button.
As you have now created the Storage Account, you will need to go to Containers as shown below.
Again in my case I already have a container called intuneblogaboutcloud but you can create your container by clicking + Container
We can now upload all required PowerShell scripts, installers, images etc.. depending on what you are attending to achieve. In my container, I have created folders to structure the data.
One of the key things to understand with each file uploaded it has a unique URL, please keep this in mind as later in this post I will be demostrating how I use this URL to deliver customizations to my Windows 10 devices.
So Microsoft Endpoint Manager has the ability to deliver PowerShell scripts to any and all Windows 10 enrolled devices. As I was getting annoyed in having to reinstall PowerShell customizations and tweaks I like to perform on my client machines. I created several scripts that do the hard work for me.
One of the unique features of this script is to check for updated versions of the module from the PSGallery. However, this feature isn’t effective using MEM for delivery unless a modified script is upload to the MEM.
As mentioned in the Azure Blob Storage section the unique URL will have an important part to play. As you can see from the image below, I have highlighted 3 sections
1 – The unique URL with its our unique variable name $chromeinstaller
2 – The download command
3 – The installer command
Even with limited PowerShell experience, you will be able to understand how this script works and customize to your needs. Whether its an .msi, .exe, .ps1 you just modify the script to your needs.
Finally, delivering applications to Windows 10 using the native W32 App method. Microsoft have already made it easier with Microsoft Apps for Enterprise aka Office ProPlus but as you can see I have leverage MEM to install a number of MSI files that I like on my machines. I will not going into detail on this section as its quite straight forward.
So there you have it, customizing my Windows 10 devices with my tweaks, modules and applications via Microsoft Endpoint Manager + Azure Blob Storage and PowerShell.
Once you have added the modified script and assigned to the relevant Users or Device or both. At the next check in the PowerShell script will execute against the device to make the new background available.
As you can see from my image below, my 2 new images have appeared as options.
Microsoft Endpoint Manager is great however, if you want to encrypt Windows 10 device silently with a normal standard user logged in then you might find it difficult to do so via the MEM Portal settings. So this is where this blog post will come in handy 🙂
In order to encrypt the device silent you need to create a Custom Configuration Policy. Browse to your Microsoft Endpoint Manager Portal or Intune Portal –> Go to Device Configurations Profile –> Create New Profile
Enter a Name for the Profile
Select Windows 10 and later from Platform
Select Custom from Profile type
Select Configure from Settings
We will now need to enter the following information to configure encryption.
Once you have created the policy, assign it to your required devices and BitLocker will now encrypt the devices.
Oh but wait!!!
In my experience in performing this procedure have ran into an issue where Intune recognises the device has compliant against “Require BitLocker” but non-compliant against “Encryption of data storage on the device”.
This is due to the device not being able to backup the BitLocker Encryption Key to Azure Active Directory. The workaround for this was to deploy a PowerShell script using Intune that forces the key to be backup up.
So lets add a script to Intune which will execute the required steps; First go to Device Configuration –> Scripts –> Add
Provide a Name which will easily identify the script in the Intune Portal.
Browse to the script location on your local machine or network drive Tick Yes to Run script in 64 bit PowerShell host.
And save then assign to the required AAD Group to execute on the client macine.
I cannot take any credit for the script but it resolves the issue I encountered and my compliant policy was once again “Compliant” for all devices. I have made this script available via my GitHub account.
Office 365 ProPlus has adopted a servicing model for client updates, allowing new features, non-security updates, and security updates to be released on a regular basis, ensuring your users are always up to date with the latest functionality and improvements.
The client servicing model for Office 365 ProPlus provides options that allow organizations to manage the frequency at which features and updates are deployed using multiple release channels which can be configured for all users or a specific set of users within the organization allowing IT to manage update deployment.
The Monthly Channel is made available every month and is targetted to users that want the latest features and updates as soon as they are available.
The Semi-Annual Channel
The Semi-Annual Channel is made available every 6 months, in January/July and is best for organizations that don’t want to deploy the latest features of Office right away or that have a significant number of LOB applications, add-ins, or macros that need to be tested prior to broad deployment. This approach helps to avoid compatibility issues that can potentially stall deployments.
This channel has 18 months of support before the version will need to upgrade to the latest release of ProPlus.
The Semi-Annual Channel (Targeted)
The Semi-Annual Channel (Targeted) enables a group of early adopters who get the latest and greatest features four months in advance of a Semi-Annual release, allowing time for organizations to test the new features and updates. This is available every 6 months, in March and September.
This channel has 14 months of support before the version will need to upgrade to the latest release of ProPlus.
Below is a diagram about how the “Update Model” works.
Check out my Office Pro Plus Tool Kit script designed to assist with testing and deployments.
One of my pet hates when receiving a new laptop or device is reinstalling all the common modules that I use to complete my work. So in good old Blogabout.Cloud fashion I have created a script that installs the following
This script will also check if the module installed and if a newer version is available within the PSGallery. I have made this script available on GitHub for your downloading pleasure;