Recent Discussions
Wrap up: Manage, Configure, and Secure Devices with Microsoft Endpoint Manager Post Day
Thanks to the thousands of people who attended our Post Day! A few housekeeping things ------------------------------------------------- You've asked about the recordings for the event. You should be able to still access the recordings for now by using the AKA links below. It will start Teams Live Events and you can just click Play to watch the whole thing. (and if that doesn't work, let me know!) We're working on the "greatest hits" complication, and we'll post that to the VideoHub when we get that. I'm working on cleaning up the decks for posting - there's some accessibility stuff I need to do - and then I'll attach them to this thread when I have them. We were thrilled with all the great feedback we got about the 24-hour, round-the-world marathon training we offered - and we'd still love more feedback! We've already announced there will be another Microsoft Ignite in March 2021 - should we do this again? If so, what topics should we cover? What should we change (besides the registration process)? Reply here! --------------------------------------------------- The product team for Microsoft Endpoint Manager usually does a pre-day event at Ignite but this year we're doing a post-day event the week after. We'll have two 4-hour Teams Live Events about how to get the most out of Microsoft Endpoint Manager. It's free! When you go to register, you'll see three options for each track to accommodate time zones around the world. Most of the dates are September 29, but depending on your time zone a session may show up on Sept 28 or Sept 30, so check all three dates to be sure. You don't need to take them in order and you can take anything that fits your schedule, even if you need to jump around the options. You'll get a calendar invite for a 4-hour block but here's how the blocks break down. (and I know some of you are getting an error message, so I'm including the direct links to the Teams Live Events down below - as long as you have that link it will connect you to the meeting, but until we start the session it will just sit there and say the meeting hasn't started yet.) Track 1:Manage, Configure, and Secure Windows Devices with Microsoft Endpoint Manage Hour 1 - Get Your Windows Devices to Microsoft Endpoint Manager Hour 2 - Configure your Windows Devices Hour 3 - Secure your Windows Devices Hour 4 - Improve the End-User Experience on Your Windows Devices Track 2: Manage, Configure, and Secure Mobile Devices with Microsoft Endpoint Manage Hour 1 - Get Your Mobile Devices to Microsoft Endpoint Manager Hour 2 - Secure Your Mobile Devices with Microsoft Endpoint Manager Hour 3 - Manage You MacOS with Microsoft Endpoint Manager Hour 4 - Manage Shared Devices for Firstline Workers Here's how it maps out, based on what we figure are the best times for each part of the world Asia/Pacific/Japan and Europe/Middle East/Africa Windows Option 1:https://aka.ms/MEMPDC/WINREG01 Mobility Option 1:https://aka.ms/MEMPDC/MOBREG01 Europe/Middle East/Africa and Americas (Windows) Windows Option 2:https://aka.ms/MEMPDC/WINREG02 Mobility Option 2:https://aka.ms/MEMPDC/MOBREG02 Europe/Middle East/Africa and Americas (Mobility) Windows Option 3:https://aka.ms/MEMPDC/WINREG03 Mobility Option 3:https://aka.ms/MEMPDC/MOBREG03 Register now! (or grab the AKA links above and make your own calendar invite to remind you it's time)Announcing Windows 10 in Cloud Configuration
Today we released a recommended set of settings for Windows 10 devices that makes devices easy to deploy, highly secure, and cloud-first. Windows 10 in cloud configuration enables organizations to provide frontline workers, remote workers, and other individuals with a select set of applications, cloud-based data storage, and a familiar Windows experience. Want to learn more? Check out the official announcement in the Windows IT Pro Blog.New tool available - ConfigMgr Prerequisites Tool 2.0.0
I've just published a new version of my ConfigMgr Prerequisites Tool 2.0.0. You can read the full blog post below: http://www.scconfigmgr.com/2016/09/13/configmgr-prerequisites-tool-2-0-0-new-version-released/ If you have any questions regarding the tool or run into any issues, don't hesitate to contact me in any way.How to create a backup of your Microsoft Endpoint Manager (Intune) infrastructure!
Dear Microsoft Intune Friends, Imagine the following situation. You have invested several hours to build your Microsoft Endpoint Manager (Intune) infrastructure. After the final tests, everything is now working exactly as you imagined. Now the question arises how can I backup all these settings and configurations? I will answer this question in this article. Note: I will describe how to compare and restore the backup in a next article. https://techcommunity.microsoft.com/t5/microsoft-intune/compare-and-restore-a-microsoft-endpoint-manager-intune-backup/m-p/2993736 What we can do in the Microsoft Endpoint Manager portal is export configuration settings to a CSV file. However, this is not exactly what I wanted. To create a complete backup of our tenant we need the power of PowerShell (power of PowerShell - funny ) I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE Set-Location Clear-Host #Customize the ExecutionPolicy (absolutely OK for this demo) Set-ExecutionPolicy -ExecutionPolicy Unrestricted #Install the Module Install-Module -Name Microsoft.Graph.Intune -Verbose -Force -AllowClobber #Install the Module Install-Module -Name MSGraphFunctions -Verbose -Force -AllowClobber #Import the Module Import-Module -Name MSGraphFunctions #Install the Module Install-Module -Name AzureAD -Verbose -Force -AllowClobber #Install IntuneBackupAndRestore from the PowerShell Gallery Install-Module -Name IntuneBackupAndRestore -Verbose -Force -AllowClobber #Update the Module Update-Module -Name IntuneBackupAndRestore -Verbose #Import the Module Import-Module IntuneBackupAndRestore #Connect to Microsoft Graph Connect-MSGraph Here you must agree to the extended permissions. #Create a folder New-Item -ItemType Directory -Path C:\Backup\IntuneBackup #Switch to the folder Set-Location C:\Backup\IntuneBackup #Create the Full-Backup Start-IntuneBackup -Path 'C:\Backup\IntuneBackup' It starts with the creation of the backup. #Let's look at the content Get-ChildItem -Path 'C:\Backup\IntuneBackup' Let's start Windows Explorer and navigate to our backup folder, Bingo....we have a complete backup! I know that was nothing spectacular, but I still wanted to share my experience with you. Thank you for taking the time to read this article. Kind regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerUse PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!
==>>A special thanks to Timmy Andersson for the PowerShell script!!<<== Dear Microsoft Intune Friends, In Microsoft Intune, it is possible to work with configuration profiles, among other things. OK, this is nothing new. But which Azure Active Directory groups have been assigned to the configuration profiles? I am confronted with this question again and again. This is where PowerShell comes into play. Let's explore this together. I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE. Set-Location C:\Temp Clear-Host #Install the module Install-Module -Name Microsoft.Graph.Intune -AllowClobber -Verbose -Force #Connect and change the scheme Connect-MSGraph -ForceInteractive Update-MSGraphEnvironment -SchemaVersion beta Connect-MSGraph #Which group do you want to check? $groupName = "AutoPilot Geräte" $Group = Get-AADGroup -Filter "displayname eq '$GroupName'" ####Config Start#### Write-host "Azure Active Directory Group: $($Group.displayName)" -ForegroundColor Green #Apps $AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllAssignedApps) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Compliance $AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceCompliance) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Configuration $AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceConfig) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Configuration Powershell Scripts $Resource = "deviceManagement/deviceManagementScripts" $graphApiVersion = "Beta" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments" $DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceConfigScripts) { Write-host $Config.displayName -ForegroundColor Yellow } #Administrative templates $Resource = "deviceManagement/groupPolicyConfigurations" $graphApiVersion = "Beta" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments" $ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllADMT) { Write-host $Config.displayName -ForegroundColor Yellow } ####Config End#### Now let's check all the groups from Azure Active Directory. $Groups = Get-AADGroup | Get-MSGraphAllPages ####Config Start #### Foreach ($Group in $Groups) { Write-host "Azure Active Directory Group Name: $($Group.displayName)" -ForegroundColor Green #Apps $AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllAssignedApps) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Compliance $AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceCompliance) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Configuration $AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceConfig) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Configuration Powershell Scripts $Resource = "deviceManagement/deviceManagementScripts" $graphApiVersion = "Beta" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments" $DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceConfigScripts) { Write-host $Config.displayName -ForegroundColor Yellow } #Administrative templates $Resource = "deviceManagement/groupPolicyConfigurations" $graphApiVersion = "Beta" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments" $ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllADMT) { Write-host $Config.displayName -ForegroundColor Yellow } } ####Config End#### I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerOutlook for iOS (MAM only Call Identification)
In order of the implementation of O365/M365 and with it Microsoft Intune, Outlook for iOS has become the standard mail client on iOS devices for many customers today. This is due to the excellent user experience and the constant stream of new features implemented by Microsoft. From a security perspective, in addition to the provision on managed devices (managed by Intune), the secure use on unmanaged devices with MAM or App Protection Policies (APP) is a big argument for using Outlook for iOS. Currently, many ouf our customers are working on a BYOD setup for blue collar worker, who typically have a maximum of one email inbox. A big pain point for many users who use Outlook for iOS in an MAM-only setup (and for MDM setup with Intune) is the missing caller identification of Exchange Online (EXO) contacts.Outlook for iOS supports a one-way contact export process whereby contacts from within Outlook for iOS can be exported into the personal (unmanaged) part of the native iOS Contacts app. This means a contact must first be imported into the users personal contacts directory of EXO and then exported from Outlook for iOS to the native (unmanaged) iOS Contact app in order to see who is calling. This functionality enables Caller-ID, iMessage, and FaceTime integration for users’ Outlook contacts. The exported Outlook contacts are considered unmanaged and are accessible by unmanaged, personal apps. Especially for European customers who are subject to GDPR compliance, this is a no go, as personal data and company data must not be mixed. The unintentional outflow of contact data worthy of protection to commercial platforms, such as WhatsApp or Google, and the unintentional synchronization of address books with social media apps, represents a significant GDPR risk. Although the user's personal EXO contacts can be synchronized, there is currently no option to synchronize the GAL. Furthermore, there is currently no provision in Outlook for iOS to synchronize the GAL cyclically. The user has to add a GAL contact to his personal contacts as described above and then within the Outlook for iOS app export the contact to his native iOS contacts app to be able to see who is calling. To meet the GDPR compliance, we need to prevent the contact export. So this is not a solution. The question to ask is: Why does a user need to export a GAL/personal contact to their native iOS Contact app? There are already several paid app solutions that close exactly this gap (ebf Contacts, Secure Contacts, etc.) which offer more or less the same range of functions. The app builds a container and downloads the managed address books (GAL, personal) of the user and then enables the resolution of the CallerID or identification of the caller via the so-called Apple CallKit integration. Apple has been offering the so-called CallKit integration for years. With CallKit you can integrate your calling services with other call-related apps on the system. CallKit provides the calling interface, and you handle the back-end communication with your VoIP service. For incoming and outgoing calls, CallKit displays the same interfaces as the Phone app, giving your app a more native look and feel. CallKit also responds appropriately to system-level behaviors such as Do Not Disturb. In addition to handling calls, you can provide a Call Directory app extension to provide caller ID information and a list of blocked numbers associated with your service. When a phone receives an incoming call, the system first consults the user’s contacts to find a matching phone number. If no match is found, the system then consults your app’s Call Directory extension to find a matching entry to identify the phone number. This is useful for applications that maintain a contact list for a user that’s separate from the system contacts, such as a Outlook for iOS. For example, consider a user who is a colleague to Jane, but doesn’t have her phone number in their contacts. If the Outlook for iOS app has a Call Directory app extension, which downloads and adds the phone numbers of all of the user´s colleagues. When the user gets an incoming call from Jane, the system displays something like “(App Name, e.g. Outlook) Caller ID: Jane Appleseed” rather than “Unknown Caller”. The effort to integrate the Call Directory Extension is minimal and would solve many pain points from both a security and user experience perspective. Apple has documented CallKit excellently on the developer site:CallKit | Apple Developer Documentation With the possibility of using Apple CallKit in combination with Outlook for iOS and the contact synchronization (personal/GAL) of a managed EXO mailbox, the use of M365 in a BYOD scenario for customers Blue Collar workers will massively increase. Furthermore, the use of contact synchronization is then also possible for devices managed by Intune. This creates an outstanding user experience while increasing user adoption! This article was also published as feedback in the Outlook Forum for iOS:Outlook for iOS (MAM only Call Identification) · Community (microsoft.com) There are already other requests within the Microsoft community that I would like to link here: PatrickF11:Outlook for iOS + Caller Identification - Microsoft Community Hub Daniel Huttenlocher:Identify Calls with Call Directory App Extension · Community (microsoft.com)Decks for Endpoint Management Acceleration Day
Many thanks to all of you who attended any or all of our sessions for Endpoint Management Acceleration Day! We hope we were able to give you useful information! If you didn't get a chance to fill out the survey during the sessions, please fill it out now - there's a different one for each track. Mobility Survey Windows Survey If you'd like to go back and watch any of them again, or view the Q&A transcript, just use the same link you used to join the session: Mobility https://aka.ms/EMAD/MobReg01 https://aka.ms/EMAD/MobReg02 https://aka.ms/EMAD/MobReg03 Windows https://aka.ms/EMAD/WinReg01 https://aka.ms/EMAD/WinReg02 https://aka.ms/EMAD/WinReg03 I'm attaching the PDFs of the slides we used in the presentations.I'll have to do a separate post to add the Windows decks - scroll down to see those. Thanks again!
Android Fully Managed - Backup & Restore
With the requirement to factory reset mobile devices to enroll into Android enterprise (Fully managed), it is becoming increasingly more apparent that a solution to backup data on pre-factory reset devices and then restore said data onto the post-factory reset devices is needed. At the moment it appears that all restore functionality is disabled in the android fully managed solution. We would have previously used Samsung's smart switch application, which is now blocked. An example: - - User currently has a legacy managed device, loaded with photos, messages and configurations. - In order to migrate to Android fully managed, user needs to factory reset phone. - User wants to migrate all data onto the newly managed device post factory reset, however all restore functionality is disabled in a fully managed device. This case example is stopping us from progressing forward with Android fully managed. Any ideas/workarounds would be greatly appreciated? - We have been trialingSamsung cloud but have found this to be relatively unreliable. Thanks in advance!Configuration Manager 1706 Technical Preview is now live!
We've just released the latest technical preview for System Center Configuration Manager. The 1706 TP release is one of the biggest yet. Highlights include a new capabilty to deploy and monitor PowerShell scripts directly from the console without having to use packages and programs. To see a list of everything that's new, visit -https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1706Is it possible to protect the *.microsoft.com management portals with MFA?
We recently had this question pop up on twitter (@intunesuppteam) and thought it would be good to answer here since it's not the first time it's been asked.Azure MFA can be set to “required” and enforced on a per user account to require MFA for any authentication. The Azure Portal (https://portal.azure.com) also has an option to require MFA for any admin account - see this discussion https://stackoverflow.com/questions/35559006/enabling-multi-factor-authentication-for-the-azure-portal. Lastly, Conditional Access can be set to require MFA on selected cloud services.
Request: Manage Apple Vision Pro with Intune MDM
Hi, At our company, some teams are working with Apple Vision Pro because they are hoping to find new technical solutions for the business. We would also like to include Apple Vision Pro in the management of our other mobile devices via Intune MDM. Since Apple has also offered an MDM interface for Apple Vision Pro with the visionOS 1.1 update, the glasses could in principle also be managed by an MDM, but the MDM must also support the glasses. Hence my question: When will this be possible via Intune MDM? As a company, we recently switched to Intune MDM with over 110,000 devices (both mobile devices and fat clients) and we are confident that Microsoft will also support new technical products (such as the Apple Vision Pro).
Linux Managed Device Chrome support
Hi, We are in process of On-boarding Linux devices as all other OS'es must pass Conditional Access Managed/Compliant Device check. We are stumbling on a lot (a lot) of user resistance with forcing them on switch to use (only) Edge. Is there any roadmap or date when will Chrome Extension (at least chrome) be available for Linux and Managed device check during sign-in?When will Platform SSO release for macOS
Hi, Doe anyone know from the Intune team is there has there been any update/progress as to when platform SSO will release (even Preview/Beta) https://techcommunity.microsoft.com/t5/microsoft-intune-blog/microsoft-simplifies-endpoint-manager-enrollment-for-apple/ba-p/3570319 Also I read/saw that herehttps://www.macsysadmin.se/video/day3session6.mp4that we would be getting support for auto-enrolment & local admin and standard user account management. Is the above video true what is on the roadmap? ThanksBlogpost - Create Hyper-V VM and enroll it in Autopilot automatically
Wrote a blog post on how to create a VM and register it for Autopilot automatically (https://powershellisfun.com/2022/08/25/deploy-a-hyper-v-vm-and-register-it-for-autopilot-automatically-using-powershell/) Below is the script that I created for it, please read the article about how to create the intune.iso and App registration that is needed for this to work. #Requires -RunAsAdministrator #ISO Paths $ISOPath = 'D:\ISO' $IntuneISO = 'D:\ISO\intune.iso' #Start a stopwatch to measure the deployment time $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() #Detect if Hyper-V is installed if ((Get-WindowsOptionalFeature -FeatureName Microsoft-Hyper-V-All -Online).State -ne 'Enabled') { Write-Warning ("Hyper-V Role and/or required PowerShell module is not installed, please install before running this script...") } else { Write-host ("Hyper-V Role is installed, continuing...") -ForegroundColor Green } #Set VM Parameters $VMname = Read-Host 'Please enter the name of the VM to be created, for example W11Intune' if ((Get-VM -Name $VMname -ErrorAction SilentlyContinue).count -ge 1) { Write-Warning ("VM {0} already exists on this system, aborting..." -f $VMname) return } $VMCores = Read-Host 'Please enter the amount of cores, for example 2' [int64]$VMRAM = 1GB * (read-host "Enter Memory in Gb's, for example 4") [int64]$VMDISK = 1GB * (read-host "Enter HDD size in Gb's, for example 40") $VMdir = (get-vmhost).VirtualMachinePath + $VMname $ISO = Get-Childitem $ISOPath *.ISO | Out-GridView -OutputMode Single -Title 'Please select the ISO from the list and click OK' if (($ISO.FullName).Count -ne '1') { Write-Warning ("No ISO, script aborted...") return } $SwitchName = Get-VMSwitch | Out-GridView -OutputMode Single -Title 'Please select the VM Switch and click OK' | Select-Object Name if (($SwitchName.Name).Count -ne '1') { Write-Warning ("No Virtual Switch selected, script aborted...") return } #Create VM directory try { New-Item -ItemType Directory -Path $VMdir -Force:$true -ErrorAction SilentlyContinue | Out-Null } catch { Write-Warning ("Couldn't create {0} folder, please check VM Name for illegal characters or permissions on folder..." -f $VMdir) return } finally { if (test-path -Path $VMdir -ErrorAction SilentlyContinue) { Write-Host ("Using {0} as Virtual Machine location..." -f $VMdir) -ForegroundColor Green } } #Create VM with the specified values try { New-VM -Name $VMname ` -SwitchName $SwitchName.Name ` -Path $VMdir ` -Generation 2 ` -Confirm:$false ` -NewVHDPath "$($vmdir)\$($VMname).vhdx" ` -NewVHDSizeBytes ([math]::Round($vmdisk * 1024) / 1KB) ` -ErrorAction Stop ` | Out-Null } catch { Write-Warning ("Error creating {0}, please check logs and make sure {0} doesn't already exist..." -f $VMname) return } finally { if (Get-VM -Name $VMname -ErrorAction SilentlyContinue | Out-Null) { write-host ("Created {0})..." -f $VMname) -ForegroundColor Green } } #Configure settings on the VM, CPU/Memory/Disk/BootOrder/TPM/Checkpoints try { Write-Host ("Configuring settings on {0}..." -f $VMname) -ForegroundColor Green #VM Settings Set-VM -name $VMname ` -ProcessorCount $VMCores ` -StaticMemory ` -MemoryStartupBytes $VMRAM ` -CheckpointType ProductionOnly ` -AutomaticCheckpointsEnabled:$false ` -ErrorAction SilentlyContinue ` | Out-Null #Add Harddisk Add-VMHardDiskDrive -VMName $VMname -Path "$($vmdir)\$($VMname).vhdx" -ControllerType SCSI -ErrorAction SilentlyContinue | Out-Null #Add DVD with iso and set it as bootdevice Add-VMDvdDrive -VMName $VMName -Path $ISO.FullName -Passthru -ErrorAction SilentlyContinue | Out-Null $DVD = Get-VMDvdDrive -VMName $VMname $VMHD = Get-VMHardDiskDrive -VMName $VMname Set-VMFirmware -VMName $VMName -FirstBootDevice $VMHD Set-VMFirmware -VMName $VMName -FirstBootDevice $DVD Set-VMFirmware -VMName $VMname -EnableSecureBoot:On #Enable TPM and secure boot $owner = Get-HgsGuardian UntrustedGuardian $kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot Set-VMKeyProtector -VMName $VMname -KeyProtector $kp.RawData Enable-VMTPM -VMName $VMname #Enable all integration services Enable-VMIntegrationService -VMName $VMname -Name 'Guest Service Interface' , 'Heartbeat', 'Key-Value Pair Exchange', 'Shutdown', 'Time Synchronization', 'VSS' } catch { Write-Warning ("Error setting VM parameters, check settings of VM {0} ..." -f $VMname) return } #Start VM and wait until VM is at language selection screen Write-Host ("Starting VM {0}, press Enter to continue when you are on the language selection screen after completing the inital setup steps. `nConnecting to console now...." -f $VMname) -ForegroundColor Green Start-VM -VMName $VMname vmconnect.exe localhost $VMName Pause #Add Intune ISO Set-VMDvdDrive -VMName $VMname -Path $IntuneISO Write-Host ("Press Shift-F10 on the console of VM {0}, switch to d:\ and run d:\autopilot.cmd to upload hardware hash to Intune. The VM will shutdown when done!" -f $VMname) -ForegroundColor Green Write-Host ("Press Enter when the VM has shutdown to stop this script and disconnect the Intune ISO file from VM {0}" -f $VMname) -ForegroundColor Green pause Write-Host ("Ejecting Intune ISO file from VM {0}" -f $VMname) -ForegroundColor Green Set-VMDvdDrive -VMName $VMname -Path $null #The end, stop stopwatch and display the time that it took to deploy $stopwatch.Stop() Write-Host "Done, the deployment took $($stopwatch.Elapsed.Hours) hours, $($stopwatch.Elapsed.Minutes) minutes and $($stopwatch.Elapsed.Seconds) seconds" -ForegroundColor GreenAutologin to kiosk not working as expected
We recently answered a customer support question regarding kiosk and Windows desktop and figured it would be useful to share the answer here. The customer ran into a scenario where the kiosk profile was successfully deployed through Intune, but the autologin to the Kiosk account was not working as expected. Through the troubleshooting, we discovered the customer was using a VM for testing, which is not supported. While our Windows docs team is updating their documentation to share that kiosk does not support RDP, we also found Michael Niehaus' blog here: https://blogs.technet.microsoft.com/mniehaus/2018/06/07/deploying-a-kiosk-using-windows-autopilot/ which calls out that restriction in virtual TPM's.
Recent Blogs
- 3 MIN READLearn more aboutunenrolling from MDM when unjoining and rejoining Microsoft Entra hybrid devices.Nov 09, 2024
- 4 MIN READNew unified settings for device configuration policies in Microsoft Intune!Nov 08, 2024
