Recently working on a Proof Of Concept enabling a MAM policy to lockdown and protect an application (Teams) on a device that not enrolled in Intune, and the File Ownership prompt in guides was not appearing.

The Intune License was applied to the user and the user was enabled for  MAM User Scope , and the MAM policy was applied to the User  

However no file ownership still and no encryption of files. Turns out the device has to be joined to the companys Azure AD ( or Local AD and Hybrid ) for this to happen and display the info box

This will show you its enrolled in MAM ( not MDM ) 

After this File Ownership is displayed !

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
  1. Setup an Azure subscription if you haven’t got this already, this will be used for Billing. The storage is under a 1$/Month for 1 GB space 
  2. Create a Storage Container in the right Azure Region with the correct redundancy ( Local Redundancy Storage in Cheaper ) . Use General Purpose V2!
  3. Create a Blob Container in this Storage Resource
  4. Use Storage Explorer to upload files here

  5. Upload what file you would like to deploy
  6. Right click on the file and choose “Get Shared Access Signatue”

I set a 100 Year Expiry , and leave access as Read Only

It will give you URI and query string

Copy the URI ONLY up to the file name ( nothing after e.g. the example below )  and put in $BlobUri

Copy the FULL Query String and put in $Sas

Change the Output Path which will need to exist with a trailing \, this example I have used the Users Desktop

#Variables ( Use the Azure Storage Explorer to get the URI ( Shared Access Signature ) of the file and copy the first part up to the file name in BlobURI and the Query String to the Sas) 
#You will need a new Sas for each file

$BlobUri = 'https://xxxxx.blob.core.windows.net/xxxxx/1.jpg'
$Sas = '?sp=XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
#Output Path with \ on the end
$OutputPath = 'C:\Users\' + $env:UserName + '\Desktop\'



#Gets full Uri
$FullUri = "$BlobUri$Sas"
#Downloads file to outpath with correct file type and file found in BlobURI
(New-Object System.Net.WebClient).DownloadFile($FullUri, $OutputPath + ($BlobUri -split '/')[-1])

Deploy this powershell file via Device Config Scripts

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Trying to enroll a new User and machine into InTune was bringing up the following error

Error : invalid_client

Description : failed to authenticate user

 

 

 

 

 

For some reason, the License for Intune was assigned to the user ( via EMS E3 ) however the Intune plan was switched off. Enabling this resolved the issue

VN:F [1.9.22_1171]
Rating: 5.5/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Check the log @ C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ for more information or


HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Apps\
HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\

 

Win32 apps via Intune Management Extension Agent are cached here:

C:\Program Files (x86)\Microsoft Intune Management Extension\Content

 

Windows LOB apps (single MSI) pushed via MDM channel like the Intune Management Extension Agent itself are cached here during install and then deleted:

C:\Windows\system32\config\systemprofile\AppData\Local\mdm

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
#AllConnectionsUnMetered

#We need a Win32 class to take ownership of the Registry key
$definition = @"
using System;
using System.Runtime.InteropServices; 
 
namespace Win32Api
{
 
    public class NtDll
    {
        [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
        public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
    }
}
"@ 
 
Add-Type -TypeDefinition $definition -PassThru | Out-Null
[Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$false) | Out-Null
 
#Setting ownership to Administrators
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)
 
#Giving Administrators full control to the key
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ([System.Security.Principal.NTAccount]"Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)

New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name WiFi -PropertyType Dword -Value 1 -Force
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name 3G -PropertyType Dword -Value 1 -Force
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name 4G -PropertyType Dword -Value 1 -Force
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name Ethernet -PropertyType Dword -Value 1 -Force
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name Default -PropertyType Dword -Value 1 -Force

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

You will need to update the CompanyName to yours

#Change AutoSaveLocation to OneDrive



$onedrivelocation = %userprofile%\OneDrive - **CompanyName**\



mkdir "$onedrivelocation\Autorecover\Word\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\Word\Options" -Name AUTOSAVE-PATH -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Word\"

mkdir "$onedrivelocation\Autorecover\Excel\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\excel\Options" -Name AutoRecoverPath -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Excel\"

mkdir "$onedrivelocation\Autorecover\Powerpoint\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\PowerPoint\Options" -Name PathToAutoRecoveryInfo -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Powerpoint\"
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

I used the Below Policies to create a Local User and Password

./Device/Vendor/MSFT/Accounts/Users/LocalAdmin/Password

However there is no where in CSP to set this to never expire.

You have to use a new Powershell run as the System account separately to do this

Set-LocalUser -Name “localadmin” -PasswordNeverExpires 1

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

There is no current way to download existing Powershell Scripts Uploaded to Intune Device Management. To do this you have to use the graph API. There is a Demo called : DeviceManagementScripts_Get.ps1 , however it wasn’t working for me , so I created the below

 

This downloads a Single Script for you , it asks you for the id ( shows you each linked to the file name ) 


#Function to get AuthToken for Azure GraphAPI
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
    [Parameter(Mandatory=$true)]
    $User

)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable
    
    if ($AadModule -eq $null) {
        
        Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($AadModule -eq $null) {
        write-host
        write-host "AzureAD Powershell module not installed..." -f Red
        write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
        write-host "Script can't continue..." -f Red
        write-host
        exit
    }

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

    if($AadModule.count -gt 1){

        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]

        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
 
# Client ID used for Intune scopes

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

    try {

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

    $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
            
    $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

    # If the accesstoken is valid then create the authentication header

        if($authResult.AccessToken){

        # Creating header for Authorization token

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
            }

        return $authHeader

        }

        else {

        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host

        break

        }

    }

    catch {

    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
    break

    }

}

#Get Admin Username

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
 
#Get Auth Token
 
$authToken = Get-AuthToken -User $User

#Get Scripts

$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts"

$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource/"
$scriptarray = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value


foreach ($script in $scriptarray) {
	$script.fileName + " ( " + $script.id + " )"
}


$scriptid = Read-Host -Prompt "Enter ID you would like to download, number in brackets without spaces"
Write-Host


$detailuri = "https://graph.microsoft.com/$graphApiVersion/$Resource/" + $scriptid
Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get
$script64 = (Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get).scriptContent
#Decode Base64 into Scripts
$decodedscript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($script64))
#output File
New-Item -Path . -Name $script.fileName -ItemType "file" -Value $decodedscript

This downloads all the Scripts in your InTune Directory

#Function to get AuthToken for Azure GraphAPI
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
    [Parameter(Mandatory=$true)]
    $User

)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable
    
    if ($AadModule -eq $null) {
        
        Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($AadModule -eq $null) {
        write-host
        write-host "AzureAD Powershell module not installed..." -f Red
        write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
        write-host "Script can't continue..." -f Red
        write-host
        exit
    }

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

    if($AadModule.count -gt 1){

        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]

        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
 
# Client ID used for Intune scopes

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

    try {

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

    $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
            
    $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

    # If the accesstoken is valid then create the authentication header

        if($authResult.AccessToken){

        # Creating header for Authorization token

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
            }

        return $authHeader

        }

        else {

        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host

        break

        }

    }

    catch {

    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
    break

    }

}

#Get Admin Username

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
 
#Get Auth Token
 
$authToken = Get-AuthToken -User $User

#Get Scripts

$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts"

$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource/"
$scriptarray = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value


foreach ($script in $scriptarray) {
	$detailuri = "https://graph.microsoft.com/$graphApiVersion/$Resource/" + $script.id
	#Show Scripts in Output
	Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get
	$script64 = (Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get).scriptContent
	#Decode Base64 into Scripts
    $decodedscript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($script64))
	#output Files
	New-Item -Path . -Name $script.fileName -ItemType "file" -Value $decodedscript
}
VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I found an InTune pc having issues deploying software and PowerShell 

In the “Company Portal” Store App it showed there was a: Delay in Downloading files error

I then found there was no Management Extension Application Service installed as all

This can be manually downloaded and installed from here : 

https://prodamsub0102data.azureedge.net/IntuneWindowsAgent.msi 

After installing , software started Deploying

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

So you have installed an App silenty via the Intune App Packager 

You’ve used something like setup.exe /silent , as the application didn’t come with a .msi as the install command , how do you get the uninstall command?

You will need to install it first on a test pc

You will then need to run the following powershell to find the GUID of the program in {}

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

The uninstall command will be

msiexec.exe /x {GUID OF APPLICATION) /qb

 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)