Microsoft Intune
16 TopicsPowershell - Change Intune Application Assignments
Hello, I'd like to bulk-edit a number of my Intune Win32 assignments. I've got ~30 applications to go through, but I've noted their AppIDs so it would be worth the time investment to find a working Powershell script to run this without having to manually edit each one. Below runs through Elevated Powershell without error, so I'd thought it was successful. Unfortunately nothing changes and assignments remain the same. I've cut down the number in this script and edited tenant-based ID's but practically-speaking this runs through fine. Can anyone advise? I'm new to powershell and basically relying on AI to help make them, or the occasional forum post I can find. # Install the Microsoft Graph PowerShell SDK if not already installed Install-Module Microsoft.Graph -Scope CurrentUser -Force # Import the Device Management module Import-Module Microsoft.Graph.DeviceManagement # Connect to Microsoft Graph Connect-MgGraph -Scopes "DeviceManagementApps.ReadWrite.All" # Retrieve all mobile apps $allApps = Get-MgDeviceAppManagementMobileApp # Filter for Win32 apps $win32Apps = $allApps | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.win32LobApp' } # List of specific app IDs to target $specificAppIds = @( "ba5988e8-4hhe-4e99-9181-ff85ce589113", "d49dk602-5e02-4af3-b09c-d98d8edac8fb" ) # Filter the Win32 apps to only include the specific apps $targetApps = $win32Apps | Where-Object { $specificAppIds -contains $_.Id } # Define group IDs $requiredGroupId = "57ce1fb3-5f94-4287-8f0b-e2ed595ac900" # Replace with your actual required group ID $uninstallGroupId = "aq7a3571-7f71-4deb-8f81-289dfe38a2e6" # Replace with your actual uninstall group ID # Loop through each target app and update the assignment foreach ($app in $targetApps) { # Get the current assignments $assignments = Get-MgDeviceAppManagementMobileAppAssignment -MobileAppId $app.Id # Define the new assignments $requiredGroupAssignment = @{ "@odata.type" = "#microsoft.graph.mobileAppAssignment" target = @{ "@odata.type" = "#microsoft.graph.groupAssignmentTarget" groupId = $requiredGroupId } intent = "required" } $uninstallGroupAssignment = @{ "@odata.type" = "#microsoft.graph.mobileAppAssignment" target = @{ "@odata.type" = "#microsoft.graph.groupAssignmentTarget" groupId = $uninstallGroupId } intent = "uninstall" } # Add the new assignments to the existing assignments $updatedAssignments = $assignments + $requiredGroupAssignment + $uninstallGroupAssignment # Update the app assignments Update-MgDeviceAppManagementMobileAppAssignment -MobileAppId $app.Id -BodyParameter $updatedAssignments232Views0likes0CommentsPowerShell script to change font of office apps
Hi, We are using Microsoft 365 for Enterprise for delivery office apps to users via Microsoft Intune. Currently the default font for all office apps is Calibri and now users want that it should change to Arial, 11 font. Is there a way in Powershell to make that change. I have been suggested ways to do it with .net objects or Interop. Can someone please share a sample PowerShell script or a full script to make that change. Thanks, Ashish Arya30KViews0likes18CommentsObject reference not set to an instance of an object - when splatting to a custom function
I've written a module for a specific O365 function - onboarding users to mobile in InTune. The module works, but I needed to add the ability for users to specify alternative credentials to run the module. To achieve this, I'm using the splat method, which enables me to add credentials in the hash table Unfortunately, I'm getting error "Object reference not set to an instance of an object" with this method and cannot understand why. The parameters appear to be passed through OK as I can print them to host, but the command doesn't like it. Hopefully it's something obvious. FYI, if I rem out@Params and use the $User variable, it will work. $Params = @{ User = $User } if ($Null -ne $Credential) {$Params.add('Credential', $Credential)} Try { get-EXOEnabled @Params #Custom function } Catch {...}Solved5.9KViews0likes5CommentsQuestion: Script to see if device is Azure AD joined
We often receive notebooks that are still joined to a Azure AD tenant. Is there a (simple) Powershell script that shows if a device is still joined to a tenant? Knowing which exact tenant the device is registered to is a nice-to-have but not required. FYI, we already tried the cmd command 'dsregcmd' but unfortunately the output was not reliable. We found multiple occasions where dsregcmd claimed the device was not Azure AD joined while it definitely was.4.3KViews0likes3CommentsQuestion: Script to remove a specific device from MEM (Intune) and Azure AD
I am looking for a script to fully remove an (Autopilot) device from a Microsoft tenant. The goal is to remove a specific device that I have physical access to from both Microsoft Endpoint Manager (Intune) and Azure AD. I want to accomplish this by running a (PowerShell) script on the device itself. The script should return output to indicate success or failure. Please keep the following parameters in mind: Before running the script, I have access to the physical device and I know the serial number of the device. I do not know the deviceID or tenant of the specific device, but I do have an Intune Admin account in the tenant where the device sits. The device is an Autopilot device. I do not want to log into the Microsoft tenant directly but only run scripts from the device itself. Thank you very much, looking forward to any tips this community has to offer!Solved33KViews0likes15CommentsIntune Powershell Script to delete Folders
Hi, I'm no expert in Powershell, and I'm willing to delete folders on computers that are managed by Intune. I already tried some scripts in Powershell to run in Intune, but I have no success in deleting the folders. How should I do it? Folder is located: c:\Users\STUDENTNAME\Appdata\Local\FOLDERtoDELETE and c:\Users\STUDENTNAME\Appdata\Roaming\FOLDERtoDELETE I've tried this script in Platform scripts: $foldersToCheck = @( "${env:LOCALAppData}\FOLDERtoDELETE_1", "${env:AppData}\FOLDERtoDELETE_2", "${env:ProgramFiles}\FOLDERtoDELETE_3", "${env:ProgramFiles(x86)}\FOLDERtoDELETE_4" ) foreach ($folderPath in $foldersToCheck) { if (Test-Path $folderPath -PathType Container) { try { Remove-Item -Path $folderPath -Recurse -Force -ErrorAction Stop Write-Host "Folder '$folderPath' has been deleted." } catch { Write-Host "Error deleting folder '$folderPath': $_" } } else { Write-Host "Folder '$folderPath' does not exist." } } Thank you very much in advance!2.9KViews0likes5CommentsWindows 11 assigned access - setting kiosk mode over powershell and WMI
Hey guys, so currently as this article states, kiosk multi app mode in Intune for windows 11 is on the roadmap, but there is no ETA, when it comes live.https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558 I then tried as this article shows (https://learn.microsoft.com/en-us/windows/configuration/lock-down-windows-11-to-specific-apps ) to run the stated powershell script with my own configured XML file, as you can see here: $nameSpaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className Add-Type -AssemblyName System.Web $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode (@" <?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config"> <Profiles> <Profile Id="dca70007-6874-49b3-930f-26ead1d85918"> <AllAppsList> <AllowedApps> <App AppUserModelId="Citrix.Workspace" rs5:AutoLaunch="true"> <App AppUserModelId="MSEdge" /> <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> <App AppUserModelId="Microsoft.Windows.Explorer" /> </AllowedApps> </AllAppsList> <win11:StartPins> <![CDATA[ {"pinnedList": [ {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Citrix Workspace.lnk"}, {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}, {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}, {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"}, {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} ]} ]]> <win11:StartPins/> <Taskbar ShowTaskbar="true"/><Taskbar/> </Profile> </Profiles> <Configs> <Config> <AutoLogonAccount/> <DefaultProfile Id="{c374b80f-6aea-4c02-b1db-7bb1dfc4fe84}"/> </Config> </Configs> </AssignedAccessConfiguration> "@) Set-CimInstance -CimInstance $obj but im getting following errors: Get-CimInstance: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:3:8 Line | 3 | $obj = Get-CimInstance -Namespace $namespaceName -ClassName $classNam … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Zugriff verweigert. InvalidOperation: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:5:1 Line | 5 | $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | The property 'Configuration' cannot be found on this object. Verify that the property exists and can be set. Set-CimInstance: C:\Users\michael.woerner\GitHub-Repo\Github_Work\Intune\Scripts\Kiosk-XML-WMI.ps1:44:30 Line | 44 | Set-CimInstance -CimInstance $obj | ~~~~ | Cannot bind argument to parameter 'InputObject' because it is null. Can you guys help me with that?13KViews0likes37CommentsWith Graph API we are only getting 1000 devices
HI Team, We are using the below PowerShell script to change the Primary user of a device by checking the last logged in userid. Below is the github repo link which holds this PowerShell script and also the link of an article about the explanation of this script - https://raw.githubusercontent.com/svdbusse/IntuneScripts/master/PrimaryUser/Set-PrimaryUserfromLastLogIn.ps1 https://svdbusse.github.io/SemiAnnualChat/2020/03/21/Changing-Intune-Primary-User-To-Last-Logged-On-User.html The problem now is that we are only able to get 1000 devices in the $Devices variable in the above mentioned script and we have around 2000 devices so 1000 more devices are not getting fetched by this script. Also this script always get the device in the same pattern i.e.. if I run the script today and tomorrow then the devices will show the same pattern that is also the reason the rest 1000 devices are not getting fetched. Any solution to this issue will be a great help for me. Regards, Ashish AryaSolved8.9KViews0likes10CommentsIntune PowerShell Enable Lost Mode
Hi there, I want to disable multiple devices (Apple Devices) in Intune. Particularly I want to put them in Enable Lost Mode = Enabled Once the LostModeState = Disabled I am successfully able to Enable this state using this PowerShell Command invoke-msGraphRequest -Url "/deviceManagement/managedDevices/$device.id/DisableLostMode -HTTPMethod POST The command above is working just fine. But when I use the same command to enable the Same devices it is not working neither I am getting any error message.I am using this command to enable the LostModeState $message = 'test-disable' invoke-msGraphRequest -Url "/deviceManagement/managedDevices/$device.id/EnableLostMode -HTTPMethod POST -Content $message Thanks for your help1.5KViews0likes2CommentsPowershell Script when installing MSI and MSP together
Hi, I'm doing an Intune packaging whereI have below PowerShell Script when installing MSI and MSP together, however, it installs only msi wondering if something is wrong why MSP is not installing. $InstallDir = "C:\Program Files\" $shortcuts = "1" $reference = "TRIM" #We can automate and control based on installed features on the pc $word = "1" $excel = "1" $powerpoint = "1" $outlook = "1" $project = "0" $date = ((get-date).ToUniversalTime()).ToString("yyyyMMddThhmmssZ") $logPath = "C:\TEMP" $CMlog = $logPath+"\CM_Install_$date.log" $patchlog = $logPath+"\CM_Patch_Install_$date.log" New-Item -ItemType Directory -Force -Path $logPath | Out-Null $cmArg = '/i "'+"$PSScriptRoot"+'\'+'CM_Client_x64.msi" /qn /norestart /l*v "'+"$CMlog"+'" INSTALLDIR="'+"$InstallDir"+'" TRIM_DSK="'+"$shortcuts"+'" TRIMREF="'+"$reference"+'" WORD_ON="'+"$word"+'" EXCEL_ON="'+"$excel"+'" POWERPOINT_ON="'+"$powerpoint"+'" OUTLOOK_ON="'+"$outlook"+'" PROJECT_ON="'+"$project"+'"' Start-Process "msiexec.exe" -Wait -ArgumentList $cmArg $patchArg = '/i "'+"$PSScriptRoot"+'\'+'CM_Patch1.msp" /qn /norestart /l*v "'+"$Patch1log"+'"' Start-Process $file -Wait -ArgumentList $patchArg $patchArg = '/i "'+"$PSScriptRoot"+'\'+'CM_Patch1H41.msp" /qn /norestart /l*v "'+"$Hotfixlog"+'"' Start-Process $file -Wait -ArgumentList $patchArg5.4KViews0likes4Comments