User Profile Deletion
Hi, I have encountered an error when using Intune to delete user profiles. I am new to this and have put bits and pieces together from multiple sources to try and compile a script. I am using a Detect and Remediation Script deployed via Devices > Scrips and Remediation in Intune, to Windows 10 Enterprise 22H2 and Windows 11 Enterprise 24H2. I will attach scripts at the end. My issue is, the scripts detect and remediate as intended on devices that i have recently enrolled. However, we have devices that will have been enrolled in 2023 which doesn't seem to allow the scripts to run. If I then run an autopilot reset on the device, the scripts work fine. The scripts essentials look for user profiles in C:\Users and remove them if they are older than 1 hour. We want to keep disk space as free as possible especially on the lower spec devices. It ignores SYSTEM and any Admin user folder, as we have a separate script to delete the LAPSAdmin only at 8pm, when the workplace is closed. Note: The LAPSAdmin script worked on the older devices before the where autopilot reset. Does anyone know why this could be the case? Does the 1 hour check have issues reaching profiles that are over 2 years old or is there an issue in the script. Thanks, Dean
Intune Proactive Remediation Script Not Working for Normal Users on AVD Multi-Session
Scenario: We are using Azure Virtual Desktop (AVD) multi-session machines that are Azure AD joined and enrolled in Intune. These machines are part of an Application Group where normal Azure AD users are assigned. Users can successfully log in to the AVD session host. What We Are Doing: We are deploying a Proactive Remediation script (now called Remediations) via Intune. The script is designed to show a confirmation popup to the user. In the script package settings, we have selected: > Run this script using the logged-on credentials (i.e., run in user context) What Works: When a Global Administrator logs in to the AVD machine, the popup appears as expected. Logs and script output are generated correctly. What Doesn’t Work: When a normal user logs in (non-admin Azure AD user), the script: Does not show the popup Does not generate logs Appears to not run at all What We Suspect: The issue may be related to lack of local administrator rights for normal users. Since we are using AVD, we are not logging in with local machine administrators. We understand that system context would allow the script to run regardless of user login, but we specifically need user context to show the popup. Questions: Is this expected behavior for Proactive Remediation scripts in user context on AVD multi-session machines? Do normal users need to be local administrators for the script to run properly in user context? Is there a supported way to show popups or UI prompts to normal users via Intune scripts on AVD? Are there any official Microsoft documents or best practices that explain this behavior or provide a workaround? Additional Info: We are using Windows 10/11 Enterprise multi-session Devices are Azure AD joined Scripts are encoded in UTF-8, and logging is implemented Licensing is compliant with Intune and AVD requirements If anyone has encountered this issue or has documentation or a workaround, your help would be greatly appreciated!
Turn on Memory Integrity via Intune
Hi, I want to turn on Memory Integrity via Intune. I used the following script to turn on Memory Integrity, but it didn't. Also, there are no errors or failure statuses on the Intune Scripts Status page. Could someone please suggest This is the script I used: # Registry key path $registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" # Desired value for Memory Integrity (1 for enabled with UEFI lock) $desiredValue = 1 # Initialize exit code $exitCode = 0 # 0 indicates success by convention try { # Check if the key exists if (Test-Path -Path $registryPath) { $currentValue = Get-ItemProperty -Path $registryPath | Select-Object -ExpandProperty "Enabled" # Check if the value is already set to the desired value if ($currentValue -eq $desiredValue) { Write-Host "Memory Integrity is already enabled with UEFI lock. No changes made." } else { # If the key exists but the value is not as desired, set it to the desired value Set-ItemProperty -Path $registryPath -Name "Enabled" -Value $desiredValue Write-Host "Memory Integrity enabled with UEFI lock successfully." } } else { # If the key does not exist, create it and set it to the desired value New-Item -Path $registryPath -Force Set-ItemProperty -Path $registryPath -Name "Enabled" -Value $desiredValue Write-Host "Memory Integrity enabled with UEFI lock successfully." } } catch { Write-Host "An error occurred: $_" $exitCode = 1 # 1 indicates failure } # Exit with the specified exit code exit $exitCode Output of the regedit: Enabled : 1 PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios PSChildName : HypervisorEnforcedCodeIntegrity PSProvider : Microsoft.PowerShell.Core\RegistryScript status showing failed however, the desktop Icon is installed. Deployed script via Intune
I have the following script deployed in Intune. The script is working fine- it is deploying the desktop icon that I want. But the issue is even though the desktop icon is there- it is still showing as status failed in Intune status page #Variables creating local folder and download .ico file $LocalIconFolderPath = "C:\Intune\Xxxxxxxxxxxxxxx" $SourceIcon = "https://xxxxxxxx/xxxxxxxxlogo-wo-wb/xxxxxxxxlogo-wo-wb.ico" $DestinationIcon = "C:\Intune\Xxxxxxxxxxxxxxx\xxxxxxxxlogo-wo-wb.ico" #Step 1 - Create a folder to place the URL icon New-Item $LocalIconFolderPath -Type Directory #Step 2 - Download a ICO file from a website into previous created folder curl $SourceIcon -o $DestinationIcon #Step 3 - Add the custom URL shortcut to your Desktop with custom icon $new_object = New-Object -ComObject WScript.Shell $destination = $new_object.SpecialFolders.Item('AllUsersDesktop') $source_path = Join-Path -Path $destination -ChildPath '\\Global Intranet.lnk' $source = $new_object.CreateShortcut($source_path) $source.TargetPath = 'https://xxxxxxxxxxxxx.sharepoint.com/sites/GlobalIntranet?web=1' $source.IconLocation = ”C:\Intune\Xxxxxxxxxxxxxxx\xxxxxxxxlogo-wo-wb.ico” $source.Save()
Validate your Lync Server 2013 or Skype for Business 2015 Hybrid Configuration
First published on TECHNET on Sep 27, 2016 Ever wondered if your Skype for Business 2015 or Lync Server 2013 Hybrid Configuration is setup properly? Tony Quintanilla and I have developed a script to help customers troubleshoot their hybrid environments.
Powershell Script behaviour - User Context
I have an issue with a specific application that requires each user logon to have registration data for the app in their current user key location. The issue I have is that the system is in KIOSK mode and therefore only applications that are whitelisted are allowed to run. If I whitelist the powershell application I can successfully run the script adding the required values to the registry. In doing this however it presents a tile on the KIOSK setup. Question! How do I allow the use of powershell without presenting a tile? To clarify this doesn't appear to work using the scripts facility on Intune endpoint manager setting the script to user context mode. If I review the AppLocker log following an attempt I can see powershell is blocked. Any assistance with this would be much appreciated. Regards, Jon MasonWorkflow to be run for every specific document or content type?
I will need to look for the solution to implement the manual script initiation for specific file type in the document library (ex. force unlocking a document). Idea is that I will add additional column with the link to manually trigger a workflow to every item with appropriate content type (only MS Office file types). It should look like this: User click on the link of workflow of specific document --> Workflow (param documentId) --> execute the script on the server (with documentId param). Is that scenario possible, if not with workflows, how can I achieve that?
