Posts Tagged ‘intune’

Normally you would package up a .bat file in a Win32 Application , however anaconda installs take quite a whole and the command window

Below starts the command install quietly in the background 

start /B CMD /C CALL "C:\ProgramData\Anaconda3\condabin\conda.bat" env update --name base --file base-anaconda-install.yaml
GD Star Rating
loading...
GD Star Rating
loading...

When opening https://portal.manage.microsoft.com/

You see

You don't have any apps yet

Your company hasn’t made any apps available to you on this device.

Getting this device managed might let you access other company resources available to you, such as email and documents. Go to Devices to get started.



However when you open the Company portal app via the store if loads the apps list fine. This happens when you have multiple enrolled devices and the browser doesn’t know while one you have logged in with 

Solution

Click on Devices

Click on the grey bar

Click on your device you are using to access the Web and click Add

GD Star Rating
loading...
GD Star Rating
loading...

Open Endpoint Manager and navigate to the Windows 10/11 device > Collect Diagnostics:

After 20(ish) minutes > navigate to Device Diagnostics blade under the device:

 

Open the XML in your browser of choice. This XML will give you an index of sorts as to what you’ll find in the folders:

I recommend copying from the highlighted item down and pasting into an editor with numbered rows to make it easier

 

Example – I want to see the network info of the device – I can find the results in folder 16

GD Star Rating
loading...
GD Star Rating
loading...

Error is show per attached

 

This is because Personal Enrollment is disabled

Go to Intune Blade – Device Enrollment and Enrollment restrictions. Click on Default policy under Device Type Restriction:

Allow Windows (MDM) on Corporate as well as Personal

GD Star Rating
loading...
GD Star Rating
loading...

Trying to deploy a MAM policy and the Teams app asked to sign into the Intune Portal App which would not let the user.

  1. Uninstall Intune app (Company Policy)
  2. Clear Android Settings | Accounts of all work accounts, including any reference to my personal MS account
  3. When opening Teams, rather than saying “switch accounts”, I just logged in using my personal account (the username for which was pre-filled)
  4. I added the Teams account to the Teams app – prompting the flow of:
    1. Installing the Intune app
    2. Granting device administrator privileges (including giving access to Contacts!)
    3. Getting the message that there is no administrator policy (or some such thing)
    4. Adding a PIN to Teams
  5. Getting back to Teams and signing out of my personal account

This seemed to have worked. I went on to test whether the security worked.

  1. Anything I downloaded to my device I couldn’t open (format incorrect)
  2. I could view stuff in Teams but I couldn’t open it on a native app.

 

GD Star Rating
loading...
GD Star Rating
loading...
  1. Setup an Azure subscription if you haven’t got this already, this will be used for Billing. The storage is under a 1$/Month for 1 GB space 
  2. Create a Storage Container in the right Azure Region with the correct redundancy ( Local Redundancy Storage in Cheaper ) . Use General Purpose V2!
  3. Create a Blob Container in this Storage Resource
  4. Use Storage Explorer to upload files here

  5. Upload what file you would like to deploy
  6. Right click on the file and choose “Get Shared Access Signatue”

I set a 100 Year Expiry , and leave access as Read Only

It will give you URI and query string

Copy the URI ONLY up to the file name ( nothing after e.g. the example below )  and put in $BlobUri

Copy the FULL Query String and put in $Sas

Change the Output Path which will need to exist with a trailing \, this example I have used the Users Desktop

#Variables ( Use the Azure Storage Explorer to get the URI ( Shared Access Signature ) of the file and copy the first part up to the file name in BlobURI and the Query String to the Sas) 
#You will need a new Sas for each file

$BlobUri = 'https://xxxxx.blob.core.windows.net/xxxxx/1.jpg'
$Sas = '?sp=XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
#Output Path with \ on the end
$OutputPath = 'C:\Users\' + $env:UserName + '\Desktop\'



#Gets full Uri
$FullUri = "$BlobUri$Sas"
#Downloads file to outpath with correct file type and file found in BlobURI
(New-Object System.Net.WebClient).DownloadFile($FullUri, $OutputPath + ($BlobUri -split '/')[-1])

Deploy this powershell file via Device Config Scripts

GD Star Rating
loading...
GD Star Rating
loading...

You will need to update the CompanyName to yours

#Change AutoSaveLocation to OneDrive



$onedrivelocation = %userprofile%\OneDrive - **CompanyName**\



mkdir "$onedrivelocation\Autorecover\Word\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\Word\Options" -Name AUTOSAVE-PATH -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Word\"

mkdir "$onedrivelocation\Autorecover\Excel\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\excel\Options" -Name AutoRecoverPath -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Excel\"

mkdir "$onedrivelocation\Autorecover\Powerpoint\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\PowerPoint\Options" -Name PathToAutoRecoveryInfo -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Powerpoint\"
GD Star Rating
loading...
GD Star Rating
loading...

I used the Below Policies to create a Local User and Password

./Device/Vendor/MSFT/Accounts/Users/LocalAdmin/Password

However there is no where in CSP to set this to never expire.

You have to use a new Powershell run as the System account separately to do this

Set-LocalUser -Name “localadmin” -PasswordNeverExpires 1

GD Star Rating
loading...
GD Star Rating
loading...