Trying to enroll a new User and machine into InTune was bringing up the following error

Error : invalid_client

Description : failed to authenticate user

 

 

 

 

 

For some reason, the License for Intune was assigned to the user ( via EMS E3 ) however the Intune plan was switched off. Enabling this resolved the issue

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Check the log @ C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ for more information or


HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Apps\
HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\

 

Win32 apps via Intune Management Extension Agent are cached here:

C:\Program Files (x86)\Microsoft Intune Management Extension\Content

 

Windows LOB apps (single MSI) pushed via MDM channel like the Intune Management Extension Agent itself are cached here during install and then deleted:

C:\Windows\system32\config\systemprofile\AppData\Local\mdm

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
#AllConnectionsUnMetered

#We need a Win32 class to take ownership of the Registry key
$definition = @"
using System;
using System.Runtime.InteropServices; 
 
namespace Win32Api
{
 
    public class NtDll
    {
        [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
        public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
    }
}
"@ 
 
Add-Type -TypeDefinition $definition -PassThru | Out-Null
[Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$false) | Out-Null
 
#Setting ownership to Administrators
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)
 
#Giving Administrators full control to the key
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ([System.Security.Principal.NTAccount]"Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)

New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name WiFi -PropertyType Dword -Value 1 -Force
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name 3G -PropertyType Dword -Value 1 -Force
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name 4G -PropertyType Dword -Value 1 -Force
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name Ethernet -PropertyType Dword -Value 1 -Force
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost" -Name Default -PropertyType Dword -Value 1 -Force

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

You will need to update the CompanyName to yours

#Change AutoSaveLocation to OneDrive



$onedrivelocation = %userprofile%\OneDrive - **CompanyName**\



mkdir "$onedrivelocation\Autorecover\Word\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\Word\Options" -Name AUTOSAVE-PATH -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Word\"

mkdir "$onedrivelocation\Autorecover\Excel\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\excel\Options" -Name AutoRecoverPath -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Excel\"

mkdir "$onedrivelocation\Autorecover\Powerpoint\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\PowerPoint\Options" -Name PathToAutoRecoveryInfo -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Powerpoint\"
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

I used the Below Policies to create a Local User and Password

./Device/Vendor/MSFT/Accounts/Users/LocalAdmin/Password

However there is no where in CSP to set this to never expire.

You have to use a new Powershell run as the System account separately to do this

Set-LocalUser -Name “localadmin” -PasswordNeverExpires 1

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

There is no current way to download existing Powershell Scripts Uploaded to Intune Device Management. To do this you have to use the graph API. There is a Demo called : DeviceManagementScripts_Get.ps1 , however it wasn’t working for me , so I created the below

 

This downloads a Single Script for you , it asks you for the id ( shows you each linked to the file name ) 


#Function to get AuthToken for Azure GraphAPI
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
    [Parameter(Mandatory=$true)]
    $User

)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable
    
    if ($AadModule -eq $null) {
        
        Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($AadModule -eq $null) {
        write-host
        write-host "AzureAD Powershell module not installed..." -f Red
        write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
        write-host "Script can't continue..." -f Red
        write-host
        exit
    }

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

    if($AadModule.count -gt 1){

        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]

        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
 
# Client ID used for Intune scopes

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

    try {

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

    $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
            
    $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

    # If the accesstoken is valid then create the authentication header

        if($authResult.AccessToken){

        # Creating header for Authorization token

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
            }

        return $authHeader

        }

        else {

        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host

        break

        }

    }

    catch {

    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
    break

    }

}

#Get Admin Username

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
 
#Get Auth Token
 
$authToken = Get-AuthToken -User $User

#Get Scripts

$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts"

$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource/"
$scriptarray = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value


foreach ($script in $scriptarray) {
	$script.fileName + " ( " + $script.id + " )"
}


$scriptid = Read-Host -Prompt "Enter ID you would like to download, number in brackets without spaces"
Write-Host


$detailuri = "https://graph.microsoft.com/$graphApiVersion/$Resource/" + $scriptid
Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get
$script64 = (Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get).scriptContent
#Decode Base64 into Scripts
$decodedscript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($script64))
#output File
New-Item -Path . -Name $script.fileName -ItemType "file" -Value $decodedscript

This downloads all the Scripts in your InTune Directory

#Function to get AuthToken for Azure GraphAPI
function Get-AuthToken {

<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>

[cmdletbinding()]

param
(
    [Parameter(Mandatory=$true)]
    $User

)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

    $AadModule = Get-Module -Name "AzureAD" -ListAvailable
    
    if ($AadModule -eq $null) {
        
        Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
        $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable

    }

    if ($AadModule -eq $null) {
        write-host
        write-host "AzureAD Powershell module not installed..." -f Red
        write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
        write-host "Script can't continue..." -f Red
        write-host
        exit
    }

# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version

    if($AadModule.count -gt 1){

        $Latest_Version = ($AadModule | select version | Sort-Object)[-1]

        $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

    else {

        $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
        $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"

    }

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
 
# Client ID used for Intune scopes

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"

$resourceAppIdURI = "https://graph.microsoft.com"

$authority = "https://login.microsoftonline.com/$Tenant"

    try {

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
    # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession

    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"

    $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
            
    $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result

    # If the accesstoken is valid then create the authentication header

        if($authResult.AccessToken){

        # Creating header for Authorization token

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
            }

        return $authHeader

        }

        else {

        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host

        break

        }

    }

    catch {

    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
    break

    }

}

#Get Admin Username

$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
 
#Get Auth Token
 
$authToken = Get-AuthToken -User $User

#Get Scripts

$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts"

$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource/"
$scriptarray = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value


foreach ($script in $scriptarray) {
	$detailuri = "https://graph.microsoft.com/$graphApiVersion/$Resource/" + $script.id
	#Show Scripts in Output
	Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get
	$script64 = (Invoke-RestMethod -Uri $detailuri -Headers $authToken -Method Get).scriptContent
	#Decode Base64 into Scripts
    $decodedscript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($script64))
	#output Files
	New-Item -Path . -Name $script.fileName -ItemType "file" -Value $decodedscript
}
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I found an InTune pc having issues deploying software and PowerShell 

In the “Company Portal” Store App it showed there was a: Delay in Downloading files error

I then found there was no Management Extension Application Service installed as all

This can be manually downloaded and installed from here : 

https://prodamsub0102data.azureedge.net/IntuneWindowsAgent.msi 

After installing , software started Deploying

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

So you have installed an App silenty via the Intune App Packager 

You’ve used something like setup.exe /silent , as the application didn’t come with a .msi as the install command , how do you get the uninstall command?

You will need to install it first on a test pc

You will then need to run the following powershell to find the GUID of the program in {}

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

The uninstall command will be

msiexec.exe /x {GUID OF APPLICATION) /qb

 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)


Add-PrinterDriver -Name "HP LaserJet 500 color MFP M570 PCL6 Class Driver"

add-printerport -name "HP500" -printerhostaddress "10.0.100.21"

add-printer -name "HP" -drivername "HP LaserJet 500 color MFP M570 PCL6 Class Driver" -port "HP500"

Set-PrintConfiguration -PrinterName "AAL-MEL-PR-01(HP)" -PaperSize A4 -Color $false -DuplexingMode TwoSidedLongEdge

 

Add-PrinterDriver -Name "Lexmark CX920 Series Class Driver"

add-printerport -name "Lexmark" -printerhostaddress "10.0.100.22"

add-printer -name "Lexmark" -drivername "Lexmark CX920 Series Class Driver" -port "Lexmark"

Set-PrintConfiguration -PrinterName "AAL-MEL-PR-02(Lexmark)" -PaperSize A4 -Color $false -DuplexingMode TwoSidedLongEdge
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Extract the ISO to a folder and run from the root folder

setup.exe /admin

to open this

Go through all the options especially above for the CD Key information and accepting License and Display Level None

Once this is done , Save this as an MSP file with any name in the UPDATES folder of the CD ( The installer runs all the MSP’s in here ) 

 

Next create a config.xml file in the same directory as setup.exe with the below config

<Configuration Product="PrjPror">
<!-- <Display Level="full" CompletionNotice="yes" SuppressModal="no" AcceptEula="no" /> -->
<!-- <Logging Type="standard" Path="%temp%" Template="Microsoft Office Project Professional Setup(*).txt" /> -->
<!-- <USERNAME Value="Customer" /> -->
<!-- <COMPANYNAME Value="MyCompany" /> -->
<!-- <INSTALLLOCATION Value="%programfiles%\Microsoft Office" /> -->
<!-- <LIS CACHEACTION="CacheOnly" /> -->
<!-- <LIS SOURCELIST="\\server1\share\Office;\\server2\share\Office" /> -->
<!-- <DistributionPoint Location="\\server\share\Office" /> -->
<!-- <OptionState Id="OptionID" State="absent" Children="force" /> -->
<!-- <Setting Id="SETUP_REBOOT" Value="IfNeeded" /> -->
<!-- <Command Path="%windir%\system32\msiexec.exe" Args="/i \\server\share\my.msi" QuietArg="/q" ChainPosition="after" Execute="install" /> -->
<Display Level="None" CompletionNotice="No" SuppressModal="No" AcceptEula="Yes" />
<Setting Id="SETUP_REBOOT" Value="Never" />
< /Configuration>

 

Next use IntuneWinAppUtil.exe to package the App Up

c:\TempPath\Intune-Win32-App-Packaging-Tool-master>IntuneWinAppUtil.exe
Please specify the source folder: “F:\Project2010\”
Please specify the setup file: setup.exe
Please specify the output folder: C:\TempPath\Project2010

 

Intune Settings

Install Command : setup.exe /config config.xml

Unintall Command : Setup.exe /uninstall 90140000-00B4-0409-0000-0000000FF1CE

Detection Rule  ( Check File ) : C:\Program Files (x86)\Microsoft Office\Office14\WINPROJ.EXE

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)