powershell
31 Topicshelp with remediation
Hi, i'm trying to create detection and remediation scripts for intune to detect the presence of a template in the users word startup folder **My detection is as follows** $path = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Word\Startup\ACS Template 2010 2013 2016 (2) (1).dotm" if (Test-Path $path) { Write-Output "File exists: $path" exit 1 # Success, file exists } else { Write-Output "File not found: $path" exit 0 # Failure, file does not exist **My remediation** $path = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Word\Startup\ACS Template 2010 2013 2016 (2) (1).dotm" if (Test-Path $path) { Remove-Item -Path $path -Force It seems like the detection works as the detection status is "without issues" but the remediation doesn't run. Any advice on how to correct this very much welcomed25Views0likes2CommentsError on Connect-MSGraph
Hello, I would like to use Powershell to sync Intune devices but when I launch the Connect-MSGraph command and enter the user credentials it responds with the following error message: AADSTS700016: Application with identifier d1ddf0e4-d672-4dae-b554-9d5bdfd93547 was not found in the directory 'Contoso'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Is there a problem with Azure Graph app? How can I fix it? Thank you very much.37Views0likes0CommentsManipulating the registry via Intune push
Our goal is simple: Manipulate the registry as part of application deployment or PowerShell script. Use case: When we install our VPN client, there are a raft of registry updates that need to be made to configure it for use in our environment. The easiest way of doing this is simply by importing a .reg file we've created. The problem that I just can't seem to overcome is how to import a .reg file using PowerShell as part of an Intune deployment. For testing purposes, I've created a simple test registry file and I'd ideally like to use a PS script that simply has the command "reg.exe import .\1Test.reg" in it. The command runs perfectly from CLI but when I try pushing it as part of a Win32 app, it fails. When I build in other diagnostic steps, everything in the script runs perfectly except for the actual import. I've tried using the script to create a temporary directory, copy the files to it, set it as the working directory, and importing from there in case there were path issues. Everything works perfectly all the way up to the actual import, which never works. I've tried using "regedit.exe /silent" as well as "reg.exe" and I've spun it off as a separate process; nothing seems to work. I think it needs to run in the user instead of system context so I've tried both of those. I'm currently at a 100% failure in my ability to figure this out and I'm hoping that someone out there in the community has dealt with this and knows the incredibly simple secret and can demystify it for me. Thanks in advance for your help!143KViews0likes11Commentsdisconnect the other work or school accounts via Intune
Hi , Our users are working on projects and need to access their emails. When they add their email to Outlook, they often do not select the "Sign in with this app only" option. This causes a conflict because the other MS account gets added to the "Work or School Account," leading to issues with the Windows license. The license is supposed to be Enterprise instead of Pro, as we have Microsoft E3 licenses. My question is, how can I disconnect the other work or school accounts via Intune, using PowerShell or another tool, to avoid having to communicate with all users to disconnect it manually? Thank you for your assistance. Best regards,481Views0likes0CommentsBlogpost - Create Hyper-V VM and enroll it in Autopilot automatically
Wrote a blog post on how to create a VM and register it for Autopilot automatically (https://powershellisfun.com/2022/08/25/deploy-a-hyper-v-vm-and-register-it-for-autopilot-automatically-using-powershell/) Below is the script that I created for it, please read the article about how to create the intune.iso and App registration that is needed for this to work. #Requires -RunAsAdministrator #ISO Paths $ISOPath = 'D:\ISO' $IntuneISO = 'D:\ISO\intune.iso' #Start a stopwatch to measure the deployment time $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() #Detect if Hyper-V is installed if ((Get-WindowsOptionalFeature -FeatureName Microsoft-Hyper-V-All -Online).State -ne 'Enabled') { Write-Warning ("Hyper-V Role and/or required PowerShell module is not installed, please install before running this script...") } else { Write-host ("Hyper-V Role is installed, continuing...") -ForegroundColor Green } #Set VM Parameters $VMname = Read-Host 'Please enter the name of the VM to be created, for example W11Intune' if ((Get-VM -Name $VMname -ErrorAction SilentlyContinue).count -ge 1) { Write-Warning ("VM {0} already exists on this system, aborting..." -f $VMname) return } $VMCores = Read-Host 'Please enter the amount of cores, for example 2' [int64]$VMRAM = 1GB * (read-host "Enter Memory in Gb's, for example 4") [int64]$VMDISK = 1GB * (read-host "Enter HDD size in Gb's, for example 40") $VMdir = (get-vmhost).VirtualMachinePath + $VMname $ISO = Get-Childitem $ISOPath *.ISO | Out-GridView -OutputMode Single -Title 'Please select the ISO from the list and click OK' if (($ISO.FullName).Count -ne '1') { Write-Warning ("No ISO, script aborted...") return } $SwitchName = Get-VMSwitch | Out-GridView -OutputMode Single -Title 'Please select the VM Switch and click OK' | Select-Object Name if (($SwitchName.Name).Count -ne '1') { Write-Warning ("No Virtual Switch selected, script aborted...") return } #Create VM directory try { New-Item -ItemType Directory -Path $VMdir -Force:$true -ErrorAction SilentlyContinue | Out-Null } catch { Write-Warning ("Couldn't create {0} folder, please check VM Name for illegal characters or permissions on folder..." -f $VMdir) return } finally { if (test-path -Path $VMdir -ErrorAction SilentlyContinue) { Write-Host ("Using {0} as Virtual Machine location..." -f $VMdir) -ForegroundColor Green } } #Create VM with the specified values try { New-VM -Name $VMname ` -SwitchName $SwitchName.Name ` -Path $VMdir ` -Generation 2 ` -Confirm:$false ` -NewVHDPath "$($vmdir)\$($VMname).vhdx" ` -NewVHDSizeBytes ([math]::Round($vmdisk * 1024) / 1KB) ` -ErrorAction Stop ` | Out-Null } catch { Write-Warning ("Error creating {0}, please check logs and make sure {0} doesn't already exist..." -f $VMname) return } finally { if (Get-VM -Name $VMname -ErrorAction SilentlyContinue | Out-Null) { write-host ("Created {0})..." -f $VMname) -ForegroundColor Green } } #Configure settings on the VM, CPU/Memory/Disk/BootOrder/TPM/Checkpoints try { Write-Host ("Configuring settings on {0}..." -f $VMname) -ForegroundColor Green #VM Settings Set-VM -name $VMname ` -ProcessorCount $VMCores ` -StaticMemory ` -MemoryStartupBytes $VMRAM ` -CheckpointType ProductionOnly ` -AutomaticCheckpointsEnabled:$false ` -ErrorAction SilentlyContinue ` | Out-Null #Add Harddisk Add-VMHardDiskDrive -VMName $VMname -Path "$($vmdir)\$($VMname).vhdx" -ControllerType SCSI -ErrorAction SilentlyContinue | Out-Null #Add DVD with iso and set it as bootdevice Add-VMDvdDrive -VMName $VMName -Path $ISO.FullName -Passthru -ErrorAction SilentlyContinue | Out-Null $DVD = Get-VMDvdDrive -VMName $VMname $VMHD = Get-VMHardDiskDrive -VMName $VMname Set-VMFirmware -VMName $VMName -FirstBootDevice $VMHD Set-VMFirmware -VMName $VMName -FirstBootDevice $DVD Set-VMFirmware -VMName $VMname -EnableSecureBoot:On #Enable TPM and secure boot $owner = Get-HgsGuardian UntrustedGuardian $kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot Set-VMKeyProtector -VMName $VMname -KeyProtector $kp.RawData Enable-VMTPM -VMName $VMname #Enable all integration services Enable-VMIntegrationService -VMName $VMname -Name 'Guest Service Interface' , 'Heartbeat', 'Key-Value Pair Exchange', 'Shutdown', 'Time Synchronization', 'VSS' } catch { Write-Warning ("Error setting VM parameters, check settings of VM {0} ..." -f $VMname) return } #Start VM and wait until VM is at language selection screen Write-Host ("Starting VM {0}, press Enter to continue when you are on the language selection screen after completing the inital setup steps. `nConnecting to console now...." -f $VMname) -ForegroundColor Green Start-VM -VMName $VMname vmconnect.exe localhost $VMName Pause #Add Intune ISO Set-VMDvdDrive -VMName $VMname -Path $IntuneISO Write-Host ("Press Shift-F10 on the console of VM {0}, switch to d:\ and run d:\autopilot.cmd to upload hardware hash to Intune. The VM will shutdown when done!" -f $VMname) -ForegroundColor Green Write-Host ("Press Enter when the VM has shutdown to stop this script and disconnect the Intune ISO file from VM {0}" -f $VMname) -ForegroundColor Green pause Write-Host ("Ejecting Intune ISO file from VM {0}" -f $VMname) -ForegroundColor Green Set-VMDvdDrive -VMName $VMname -Path $null #The end, stop stopwatch and display the time that it took to deploy $stopwatch.Stop() Write-Host "Done, the deployment took $($stopwatch.Elapsed.Hours) hours, $($stopwatch.Elapsed.Minutes) minutes and $($stopwatch.Elapsed.Seconds) seconds" -ForegroundColor Green9KViews5likes2CommentsWindows 11 Autopilot and language packages
Hi everyone, I work for a Company with about 10.000 employees. We have a working SCCM envoirenment and an Autopilot PoC which should go live in the near future. The whole project was in cooperation with DELL. The problem here is that DELL scammed us a little bit, because they always ensured us, that we will get the DELL ready image for the region where Notebook is deployed (DELL ready Image contains the LPs for all countries in the Region e.g. central Europe, Asia pecific etc.). At the End Dell told us, that it us technically not possible to provide us this image and the only thing they can do is to provide us the basic US image That's where our problem started... We need some languages for our subsidaries in some countries. Thus we tried to create a package for the Language install. 1. First idea was to use the Powershell cmdlet install-language (Install-Language (LanguagePackManagement) | Microsoft Learn). The problem here is that this package runs pretty unstable. During Autopilot the command needs about 30 Minutes to finish. Sometimes the command throws an error: "Language Pack or feature could only be partially installed. Error Code: -2147023436“ (I guess it is a timeout but I didn't find anything on Google). The strange thing here is that this cmdlet runs pretty good and stable in private envoirenment. I tested it on my PC at home with Windows 10 22H2 and on a company device with the Microsoft en-US base Image (Win 11 23H2). With Autopilot it worked 70-80% of the time and the rest failed. It was very strange that in the logs the cmdlet faild with error Code: -2147023436, but after Autopilot finished, the Language was available if I called get-language. I also monitored it in the OOBE with the powershell. Result: cmdlet sometimes failed, Language was av Does anyone know how install-language works in the Background? Which URLs are called or what this error code means? Thank you for every kind of help Best regards Sven2.5KViews0likes5CommentsAccessing Win32 App metadata from detect/prereq/program scripts
I have been trying to standardize some workflows w Intune Win32 apps. Reusing components would be ideal, but how you inject the specific context into an instance of a win32 app is where i am researching. For Detect and Requirement scripts those execute before the intunewin is downloaded or extracted so including a psd1 might work for the Program phase, but can't help the others. Arguments are also more of a Program phase thing and not really supported w Detection and Pre-req phase. One thing I was wondering though was if agentexecutor set any process environment variables available in the Intune App itself. Basically is any of the content in the App Information page available to scripts running in detect, requirement, and program phases?309Views0likes0CommentsHow to Escape Special Characters in the -Filter Property of the Get-IntuneManagedDevice Cmdlet?
TL;DR: How do I escape the pound/hash (#) and apostrophe (') characters in the Filter property of the Get-IntuneManagedDevice cmdlet? Full Explanation I'm leveraging the Get-IntuneManagedDevice cmdlet to get devices associated with users by their UserPrincipalName: Get-intunemanageddevice -Filter "userprincipalname eq 'email userUPN at domain.tld'" Whenever I come across a UPN with special characters in it, the cmdlet fails with error: Invalid filter clause: Syntax error at position NN in 'userprincipalname eq 'user D'UPN at domain.tld''. So far the I've run into this problem when users have: "#EXT#" in their UPN indicating an external user An apostrophe in their name How do I escape the pound/hash (#) and apostrophe (') characters in the Filter property of the Get-IntuneManagedDevice cmdlet? I considered switching to using the user's object ID, instead of the UPN, but swapping "userPrincipalName" for "Id" or "userId" that doesn't yield valid results and curiously seems to return all devices in the organization.668Views0likes1CommentApp installation with PowerShell and winget
Hello, I'm trying to install a Visual C++ Redistributable package with winget. The first problem I had was that "App Installer" wasn't installed on the devices so I installed it via the "Add-AppxPackage" command. For some Intune showed me that the script had failed but it still was installed and I could use winget. After that, I created a new script to install VC redist with winget but it failed. In logs, I found the error message and it says that the term "winget" is not recognized as the name of the cmdlet. Has someone an idea what the problem is?4.5KViews0likes3Comments