In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.
In recent times I have had to rebuild a number of my Windows 10 devices and reinstall my favourite scripts, applications and tweaks. Which got me thinking there must be a better way of rebuilding my devices, so heres my approach.
Azure Blob Storage
After transitioning from a very UC focused role I have been learning an appreciation for the whole M365 stack and how Microsoft Azure can work hand in hand with potential problems or scenarios. Microsoft have done a very good job in providing a platform to enable businesses and organisations to leverage their subscriptions in more power ways, so with that being said lots looks at Azure Blob Storage.
First of all we need to log into the Azure Portal as this is where all the required work will now take place. Once logged in you will need to search for Storage account as this is where all files will need stored. In my case, I have already created a Storage Account but you can complete this by using the Add button.
As you have now created the Storage Account, you will need to go to Containers as shown below.
Again in my case I already have a container called intuneblogaboutcloud but you can create your container by clicking + Container
We can now upload all required PowerShell scripts, installers, images etc.. depending on what you are attending to achieve. In my container, I have created folders to structure the data.
One of the key things to understand with each file uploaded it has a unique URL, please keep this in mind as later in this post I will be demostrating how I use this URL to deliver customizations to my Windows 10 devices.
So Microsoft Endpoint Manager has the ability to deliver PowerShell scripts to any and all Windows 10 enrolled devices. As I was getting annoyed in having to reinstall PowerShell customizations and tweaks I like to perform on my client machines. I created several scripts that do the hard work for me.
One of the unique features of this script is to check for updated versions of the module from the PSGallery. However, this feature isn’t effective using MEM for delivery unless a modified script is upload to the MEM.
As mentioned in the Azure Blob Storage section the unique URL will have an important part to play. As you can see from the image below, I have highlighted 3 sections
1 – The unique URL with its our unique variable name $chromeinstaller
2 – The download command
3 – The installer command
Even with limited PowerShell experience, you will be able to understand how this script works and customize to your needs. Whether its an .msi, .exe, .ps1 you just modify the script to your needs.
Finally, delivering applications to Windows 10 using the native W32 App method. Microsoft have already made it easier with Microsoft Apps for Enterprise aka Office ProPlus but as you can see I have leverage MEM to install a number of MSI files that I like on my machines. I will not going into detail on this section as its quite straight forward.
So there you have it, customizing my Windows 10 devices with my tweaks, modules and applications via Microsoft Endpoint Manager + Azure Blob Storage and PowerShell.
Recently during a rollout of Microsoft Endpoint Manager, I noticed that my configured Lockscreen and Desktop background where not being applied to my newly enrolled Windows 10 devices. 🙁 After a bit of investigation I noticed that the device was running as Windows 10 Pro, even though the image used to build the machine was Windows 10 Enterprise.
Launch https://devicemanagement.microsoft.com and browse to Device –> Configuration Profiles –> New – Name = Provide a name – Description = (Optional) – Platform = Windows 10 and later – Profile Type = Edition upgrade and mode switch – Settings = Select Windows 10 Enterprise and provide your key
Now assign the policy to the affected devices and you will now have Windows 10 Enteprise devices.
Microsoft Endpoint Manager is great however, if you want to encrypt Windows 10 device silently with a normal standard user logged in then you might find it difficult to do so via the MEM Portal settings. So this is where this blog post will come in handy 🙂
In order to encrypt the device silent you need to create a Custom Configuration Policy. Browse to your Microsoft Endpoint Manager Portal or Intune Portal –> Go to Device Configurations Profile –> Create New Profile
Enter a Name for the Profile
Select Windows 10 and later from Platform
Select Custom from Profile type
Select Configure from Settings
We will now need to enter the following information to configure encryption.
Once you have created the policy, assign it to your required devices and BitLocker will now encrypt the devices.
Oh but wait!!!
In my experience in performing this procedure have ran into an issue where Intune recognises the device has compliant against “Require BitLocker” but non-compliant against “Encryption of data storage on the device”.
This is due to the device not being able to backup the BitLocker Encryption Key to Azure Active Directory. The workaround for this was to deploy a PowerShell script using Intune that forces the key to be backup up.
So lets add a script to Intune which will execute the required steps; First go to Device Configuration –> Scripts –> Add
Provide a Name which will easily identify the script in the Intune Portal.
Browse to the script location on your local machine or network drive Tick Yes to Run script in 64 bit PowerShell host.
And save then assign to the required AAD Group to execute on the client macine.
I cannot take any credit for the script but it resolves the issue I encountered and my compliant policy was once again “Compliant” for all devices. I have made this script available via my GitHub account.
Windows Autopilot has increased popularity over the past 3 years since its release in 2017. As a consultant within the Microsoft Cloud space, I had more conversations with customers about how Autopilot can change who they deploy Windows 10 devices to their end-users.
Being able to deliver a brand new Windows 10 device from the OEM Factory to the end-users desk that is already configured with all the required security policies and applications has to be the biggest selling point.
This post is how we can move to Windows Autopilot in 3 easy steps;
Step 1 – Register Devices
Option 1 – (Recommended) Have devices registered automatically;
– Request clean images, choice of Windows 10 version at the same time (if available) not all OEM vendors are able to provide clean images. A useful workaround for this is getting a Windows 10 script I have seen available to remove bloatware. If you haven’t seen it I have dropped a copy on GitHub. – Specify group tag to help segment device by purpose (depending on the size of your organisation this may not be a requirement) -Device are automatically tagged with purchase order ID
Option 2 – (Recommended for Piloting) Register devices yourself via Intune for testing and evaluation using Get-WindowsAutopilotInfo PowerShell script created by Microsoft.
Once you have the required CSV file from executing the script you can manually register the device.
Option 3 – Register (harvest) existing Intune-managed devices automatically. If you are an organisation that has already enrolled your Windows 10 devices into Microsoft Intune you can register all devices for Windows Autopilot.
Step 2 – Assign a profile
Use Intune; – Select profile scenario (user-driven or self-deploying) – Configure required settings -Assign to Azure AD group so Intune will automatically assign to all devices in that group. (I am a big fan of dynamic groups)
Use a dynamic Azure AD group to automate this step – Consider static Azure AD groups for exceptions
Azure Hybrid AD join for devices that dont have line of sight to a domain controller, this is currently in testing and will use a VPN to call home. The support has been built into Windows 10 1909.
Step 3 – Deploy
Boot up the device or devices
Connect to a network either wired or wireless
Enter credentials if required (credentials not required for self-deployment profiles)
The device will now go away and provision based on your configuration within Microsoft Endpoint Manager, once complete all that is left to say is…
Welcome to Windows Autopilot!!! I will be writing a more in-depth post about Autopilot soon because off the configuration I am currently using for my home devices.
Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.
So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.
Azure Storage Account
One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.
Specify the required settings within the Basic tab for creating a Storage Account.
Using the default settings as shown below
Click Review and Create Click Create
Configuring Storage Account with required Applications
Click Container Specify the Name Select Conditioner (anonymous read access for containers and blobs) under Public Access Level
Select your container Select Upload Select the files you want to upload Modify the block size if it’s less than the size of the files you are uploading Select Upload
Once the files are upload they all have a unique url which is used to identify the file as shown below.
The PowerShell Script!!!
I have created a PowerShell script that is available on GitHub and should be self-explanatory.
Step 1 – Download all the required files into C:\_Build Step 2 – Run installer files Step 3 – Run additional Powershell scripts (Optional) Step 4 – Remove C:\_Build Step 5 – Create RegKeys (Optional)
Recently when working with a customer I was troubleshooting why their devices were showing up as Azure AD Registered in the Azure portal in Azure Active Directory when they should be Hybrid Azure AD joined. These were Windows 10 1809 devices.
When running “dsregcmd /status” on one of the machines, it would show as AzureAdJoined : NO. When it is Hybrid Azure AD joined, it should still say Yes.
If you run the command as admin, you will see there is Diagnostic Data section. On my devices, it said:
Client ErrorCode : 0x801c03f2 Server ErrorCode : DirectoryError Server Message: The device object by the given id (guid) is not found.
This is because the device(s) has not been synced to Azure AD by Azure AD Connect. Make sure that the OU’s that the computer objects are in is set to sync to Azure AD. In my customer’s configuration, they had additional filtering where the users and computer objects needed to be in a Security Group to be synced to Azure AD.
Once the Azure AD Connect sync had completed successfully, and the device registration task had run again on the client, the machine now shows as Hybrid Azure AD joined in the Azure portal.
When testing BitLocker encryption on the new Windows 10 1909 release using my VMWare environment. I ran into the following error;
This device cannot use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at start-up” policy for OS volumes.
Go to your Local Group Policy
Locate the following setting under Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operating System Drives
Require additional authentication at startup
We will now need to edit this policy to enable the required settings, please use the below screenshot as your guide.
Once the policy has been enabled with the required settings, re-run BitLocker Drive Encryption and this time it’ll be more successful.
So I have been recently cleaning up my test lab Azure Active Directory and accidentally removed a device which I was still actively using within my tenant. I received the following error;
“Your organization has deleted this device. To fix this, contact your system administrator and provide error code 700003”
When trying to access organizational resources
In order to resolve this issue, you need to complete the following steps
– Remove the Work account from the Windows 10 device under your account –> Access Work or School and remove the account – Open command line or PowerShell windows with Admin rights – Enter the following command; – dsregcmd /leave
Enter command: “dsregcmd /status” to check if the system is now left the Azure AD
You will now been able to register your device and access your organisation once again.