How to download Device Management powershell scripts from intune

InTune

There is no current way to download existing Powershell Scripts Uploaded to Intune Device Management. To do this you have to use the graph API. There is a Demo called : DeviceManagementScripts_Get.ps1 , however it wasn’t working for me , so I created the below

 

This downloads a Single Script for you , it asks you for the id ( shows you each linked to the file name ) 


#Function to get AuthToken for Azure GraphAPI
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
    [Parameter(Mandatory=$true)]
    $User

)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable
    
    if ($AadModule -eq $null) {
        
        Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($AadModule -eq $null) {
        write-host
        write-host "AzureAD Powershell module not installed..." -f Red
        write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
        write-host "Script can't continue..." -f Red
        write-host
        exit
    }

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

    if($AadModule.count -gt 1){

        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]

        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
 
# Client ID used for Intune scopes

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

    try {

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

    $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
            
    $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

    # If the accesstoken is valid then create the authentication header

        if($authResult.AccessToken){

        # Creating header for Authorization token

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
            }

        return $authHeader

        }

        else {

        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host

        break

        }

    }

    catch {

    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
    break

    }

}

#Get Admin Username

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
 
#Get Auth Token
 
$authToken = Get-AuthToken -User $User

#Get Scripts

$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts"

$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource/"
$scriptarray = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value


foreach ($script in $scriptarray) {
	$script.fileName + " ( " + $script.id + " )"
}


$scriptid = Read-Host -Prompt "Enter ID you would like to download, number in brackets without spaces"
Write-Host


$detailuri = "https://graph.microsoft.com/$graphApiVersion/$Resource/" + $scriptid
Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get
$script64 = (Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get).scriptContent
#Decode Base64 into Scripts
$decodedscript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($script64))
#output File
New-Item -Path . -Name $script.fileName -ItemType "file" -Value $decodedscript
DownloadSingleIntunepowershellScript.ps1 view raw

This downloads all the Scripts in your InTune Directory

#Function to get AuthToken for Azure GraphAPI
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
    [Parameter(Mandatory=$true)]
    $User

)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable
    
    if ($AadModule -eq $null) {
        
        Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($AadModule -eq $null) {
        write-host
        write-host "AzureAD Powershell module not installed..." -f Red
        write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
        write-host "Script can't continue..." -f Red
        write-host
        exit
    }

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

    if($AadModule.count -gt 1){

        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]

        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
 
# Client ID used for Intune scopes

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

    try {

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

    $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
            
    $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

    # If the accesstoken is valid then create the authentication header

        if($authResult.AccessToken){

        # Creating header for Authorization token

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
            }

        return $authHeader

        }

        else {

        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host

        break

        }

    }

    catch {

    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
    break

    }

}

#Get Admin Username

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
 
#Get Auth Token
 
$authToken = Get-AuthToken -User $User

#Get Scripts

$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts"

$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource/"
$scriptarray = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value


foreach ($script in $scriptarray) {
	$detailuri = "https://graph.microsoft.com/$graphApiVersion/$Resource/" + $script.id
	#Show Scripts in Output
	Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get
	$script64 = (Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get).scriptContent
	#Decode Base64 into Scripts
    $decodedscript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($script64))
	#output Files
	New-Item -Path . -Name $script.fileName -ItemType "file" -Value $decodedscript
}
DownloadAllInTunePowershellFiles.ps1 view raw
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

iManage Desksite – Register Server Connection Pop up on Opening PDF

Research

Recently we had deployed Desksite to a few users , however some of them when opening PDF would get a connection Dialog box opening up and clicking on Connect in the Server List would freeze the screen with 

“Not Responding” 

And the connection would stay disconnected, even though the user was connected fine to Desksite.

We made sure Adobe Protected Mode was disable and ran a Repair of Desksite.

In the End we had to remove and reinstall Desksite from Scratch to repair this

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to deploy trusteer rapport via Intune or GPO silently

Research

Download from 

http://download.trusteer.com/Gcur4Wtnu/RapportSetup-Full_x64.exe

Intune : 

RapportSetup-Full_x64.exe /s /p NOICONS=true NOBROWSER=true ACCEPTLICENSE=TRUE

GPO Powershell Computer Startup Script : 

If(!(Test-Path -path "C:\Program Files (x86)\Trusteer\Rapport\Console.ico"))

 {
 cd "\\local\to\installer\GroupPolicy\Trustee"
.\RapportSetup-Full_x64.exe /s /p NOICONS=true NOBROWSER=true ACCEPTLICENSE=TRUE

}
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

This device hasn’t been setup for corporate use yet – Company Portal

Research

Trying to open the Company Portal as a user after Intune Enrollment shows the below 

 

2019-02-19_10-28-51.jpg

 

When clicking continue to Enroll you then get the error

The device is already registered in Intune

 

You will need to re-enroll the device using the following method

Delete ( or as much as you can ) :  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

Re-enroll PC as the correct User using the Access Work and School Method

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Intune Management Extension Application / Service not installing after InTune deploy

InTune

Recently I found an InTune pc having issues deploying software and PowerShell 

In the “Company Portal” Store App it showed there was a: Delay in Downloading files error

I then found there was no Management Extension Application Service installed as all

This can be manually downloaded and installed from here : 

https://prodamsub0102data.azureedge.net/IntuneWindowsAgent.msi 

After installing , software started Deploying

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to Use Powershell to Mail Merge Outlook Signature for Users out of Active Directory

Research

 

#Get Active Directory information for current user

$UserName = $env:username

$Filter = “(&(objectCategory=User)(samAccountName=$UserName))”

$Searcher = New-Object System.DirectoryServices.DirectorySearcher

$Searcher.Filter = $Filter

$ADUserPath = $Searcher.FindOne()

$ADUser = $ADUserPath.GetDirectoryEntry()

$ADDisplayName = $ADUser.name

$ADTitle = $ADUser.title

$ADOffice = $ADUser.physicalDeliveryOfficeName

$script:ADMobileNumber = $script:ADUser.mobile

$ADTelePhoneNumber = $ADUser.telephoneNumber

$ADExtension1 = $ADUser.extensionAttribute1

$ADExtension2 = $ADUser.extensionAttribute2

$ADExtension3 = $ADUser.extensionAttribute3

 

#Additional Variables

$AppData=(Get-Item env:appdata).value

$SigPath = ‘\Microsoft\Signatures’

$LocalSignaturePath = $AppData+$SigPath

$SignatureName = '%signaturename%'

$DomainName = '%domainname%'

$fulladdetails = $ADDisplayName+$ADExtension1+$ADTitle+$ADOffice+$script:ADMobileNumber+$ADTelePhoneNumber

 

#Check if signature directory exists and, if not, update it

If (Test-Path $LocalSignaturePath)

{}

Else

{New-Item $LocalSignaturePath -type directory}

 

Write-host $fulladdetails

 

#Check if  Signature has changed

If ("$fulladdetails" -eq "$SigChkDetails")

{ Exit }

Else

{  }

 

#Delete old signature files

Remove-Item "$LocalSignaturePath\$ADDisplayName.htm" -Recurse -Force

 

#Copy over signature template

$SigSource = “\\path\to\signature\source"

$filename = "\\path\to\signature\template.htm"

$filename2 = "\\path\to\logo.jpg"

 

Copy-Item $filename $LocalSignaturePath -Recurse -Force

Copy-Item $filename2 $LocalSignaturePath -Recurse -Force
 

#Modify Signature and Insert Variables

(Get-Content $LocalSignaturePath\template.htm) -replace 'FullName', $ADDisplayName | Set-Content $LocalSignaturePath\template.htm

(Get-Content $LocalSignaturePath\template.htm) -replace 'PositionTitle', $ADTitle | Set-Content $LocalSignaturePath\template.htm

(Get-Content $LocalSignaturePath\template.htm) -replace 'PhoneNumber', $ADTelePhoneNumber | Set-Content $LocalSignaturePath\template.htm

 

If(!$script:ADMobileNumber -or !$ADExtension2){

(Get-Content $LocalSignaturePath\template.htm) -replace '<b>M</b> MobileNumber', $NULL | Set-Content $LocalSignaturePath\template.htm}

ELSE

{(Get-Content $LocalSignaturePath\template.htm) -replace 'MobileNumber', $script:ADMobileNumber | Set-Content $LocalSignaturePath\template.htm}

 

If(!$ADExtension1){

(Get-Content $LocalSignaturePath\template.htm) -replace ', Qualification', $NULL | Set-Content $LocalSignaturePath\template.htm}

ELSE

{(Get-Content $LocalSignaturePath\template.htm) -replace 'Qualification', $ADExtension1 | Set-Content $LocalSignaturePath\template.htm}

 

If($ADOffice -ne 'Singapore'){

If(!$ADExtension3){

(Get-Content $LocalSignaturePath\template.htm) -replace 'ImageRow', '<img src="./logo.jpg" width="259" height="74" border="0" />' | Set-Content $LocalSignaturePath\template.htm}

}ELSE

{(Get-Content $LocalSignaturePath\template.htm) -replace 'ImageRow', $null | Set-Content $LocalSignaturePath\template.htm}



 

Rename-Item -Path $LocalSignaturePath\template.htm -NewName "$ADDisplayName.htm"

 

#Set company signature as default for New messages

[Void] [Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Interop.Word")

$MSWord = New-Object -com word.application

$EmailOptions = $MSWord.EmailOptions

$EmailSignature = $EmailOptions.EmailSignature

$EmailSignatureEntries = $EmailSignature.EmailSignatureEntries

$EmailSignature.NewMessageSignature=$ADDisplayName

$MSWord.Quit()

 

#Set company signature as default for Reply messages

[Void] [Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Interop.Word")

$MSWord = New-Object -com word.application

$EmailOptions = $MSWord.EmailOptions

$EmailSignature = $EmailOptions.EmailSignature

$EmailSignatureEntries = $EmailSignature.EmailSignatureEntries

$EmailSignature.ReplyMessageSignature=$ADDisplayName

$MSWord.Quit()
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

GPO to Add Shared Calendar to Users Outlook

Research

VBA Script to Add a Shared Calendar to Users Outlook

'You will need to disable Macro Security for this to run
'Use GPO to deploy VbaProject.OTM to %appdata%\Microsoft\Outlook folder

Private Sub Application_Startup()
 
Call OpenMeetingRoom1
 
End Sub

Sub OpenMeetingRoom1()

    Dim myNamespace As Outlook.NameSpace
    Dim myRecipient As Outlook.Recipient
    Dim CalendarFolder As Outlook.Folder
    
    Set myNamespace = Application.GetNamespace("MAPI")
    Set myRecipient = myNamespace.CreateRecipient("Meeting Rooom 1")
    myRecipient.Resolve
    If myRecipient.Resolved Then
        Call ShowCalendar(myNamespace, myRecipient)
    End If
 
End Sub



Sub ShowCalendar(myNamespace, myRecipient)
    Dim CalendarFolder As Outlook.Folder

    Set CalendarFolder = _
        myNamespace.GetSharedDefaultFolder _
        (myRecipient, olFolderCalendar)
    'Open up the Calendar
    'CalendarFolder.Display
End Sub
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to update email Domain for iManage worksite communication server using 365

Research

  1. Make sure you have a Send Connector in O365 so that I route all emails from your subdomain e.g. imanage.domain.com back to the Public IP where your Communication Server is , use the Router to NAT port 25 from this IP to the communication server and make sure SMTP is allowed through the local firewall

  2. Update the ‘Email Domain’ on the ‘WorkSite Server’ properties to ‘imanage.domain.com’ stop and start the ‘WorkSite Server’ service.

  3. Then update the ‘Domain’ in the communication server ‘Exchange Online’ properties to ‘imanage.domain.com’ stop and start the ‘Exchange Online’ service.

  4. The above will allow internal recipients to Send and File , if  wanting external recipients to be able to file emails to this server, make sure you create an MX Record for imanage.domain.com externally to route to your communications server ( preferably via your Spam Filter) 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

iManage Worksite 10 – Azure 365 AD SAML SSO

Research

 

Azure Single Sign-On 

Identifier (Entity ID): https://imanage.domain.com

Reply URL (Assertion Consumer Service URL): https://imanage.domain.com/api/v1/session/saml-login 

Download Certificate file (.cer) and store on iManage server e.g. C:\SSL\

HIVE: HKLM\SOFTWARE\Interwoven\WorkSite\imDmsSvc 

 

SAML Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name 

SAML Endpoint: https://myapps.microsoft.com/signin/iManage%20SAML/xxxxxxx-xxxxxx-xxxx

SAML Key File: C:\SSL\iManageSAML.cer 

SAML Logout Endpoint: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 

SAML Web RP: https://imanage.domain.com

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)