Posts Tagged ‘intune’

Error is show per attached

 

This is because Personal Enrollment is disabled

Go to Intune Blade – Device Enrollment and Enrollment restrictions. Click on Default policy under Device Type Restriction:

Allow Windows (MDM) on Corporate as well as Personal

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to deploy a MAM policy and the Teams app asked to sign into the Intune Portal App which would not let the user.

  1. Uninstall Intune app (Company Policy)
  2. Clear Android Settings | Accounts of all work accounts, including any reference to my personal MS account
  3. When opening Teams, rather than saying “switch accounts”, I just logged in using my personal account (the username for which was pre-filled)
  4. I added the Teams account to the Teams app – prompting the flow of:
    1. Installing the Intune app
    2. Granting device administrator privileges (including giving access to Contacts!)
    3. Getting the message that there is no administrator policy (or some such thing)
    4. Adding a PIN to Teams
  5. Getting back to Teams and signing out of my personal account

This seemed to have worked. I went on to test whether the security worked.

  1. Anything I downloaded to my device I couldn’t open (format incorrect)
  2. I could view stuff in Teams but I couldn’t open it on a native app.

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
  1. Setup an Azure subscription if you haven’t got this already, this will be used for Billing. The storage is under a 1$/Month for 1 GB space 
  2. Create a Storage Container in the right Azure Region with the correct redundancy ( Local Redundancy Storage in Cheaper ) . Use General Purpose V2!
  3. Create a Blob Container in this Storage Resource
  4. Use Storage Explorer to upload files here

  5. Upload what file you would like to deploy
  6. Right click on the file and choose “Get Shared Access Signatue”

I set a 100 Year Expiry , and leave access as Read Only

It will give you URI and query string

Copy the URI ONLY up to the file name ( nothing after e.g. the example below )  and put in $BlobUri

Copy the FULL Query String and put in $Sas

Change the Output Path which will need to exist with a trailing \, this example I have used the Users Desktop

#Variables ( Use the Azure Storage Explorer to get the URI ( Shared Access Signature ) of the file and copy the first part up to the file name in BlobURI and the Query String to the Sas) 
#You will need a new Sas for each file

$BlobUri = 'https://xxxxx.blob.core.windows.net/xxxxx/1.jpg'
$Sas = '?sp=XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
#Output Path with \ on the end
$OutputPath = 'C:\Users\' + $env:UserName + '\Desktop\'



#Gets full Uri
$FullUri = "$BlobUri$Sas"
#Downloads file to outpath with correct file type and file found in BlobURI
(New-Object System.Net.WebClient).DownloadFile($FullUri, $OutputPath + ($BlobUri -split '/')[-1])

Deploy this powershell file via Device Config Scripts

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Trying to enroll a new User and machine into InTune was bringing up the following error

Error : invalid_client

Description : failed to authenticate user

 

 

 

 

 

For some reason, the License for Intune was assigned to the user ( via EMS E3 ) however the Intune plan was switched off. Enabling this resolved the issue

VN:F [1.9.22_1171]
Rating: 5.5/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

You will need to update the CompanyName to yours

#Change AutoSaveLocation to OneDrive



$onedrivelocation = %userprofile%\OneDrive - **CompanyName**\



mkdir "$onedrivelocation\Autorecover\Word\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\Word\Options" -Name AUTOSAVE-PATH -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Word\"

mkdir "$onedrivelocation\Autorecover\Excel\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\excel\Options" -Name AutoRecoverPath -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Excel\"

mkdir "$onedrivelocation\Autorecover\Powerpoint\"

New-ItemProperty -path "HKCU:\Software\Microsoft\Office\16.0\PowerPoint\Options" -Name PathToAutoRecoveryInfo -PropertyType "ExpandString" -Value "$onedrivelocation\Autorecover\Powerpoint\"
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

I used the Below Policies to create a Local User and Password

./Device/Vendor/MSFT/Accounts/Users/LocalAdmin/Password

However there is no where in CSP to set this to never expire.

You have to use a new Powershell run as the System account separately to do this

Set-LocalUser -Name “localadmin” -PasswordNeverExpires 1

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Download from 

http://download.trusteer.com/Gcur4Wtnu/RapportSetup-Full_x64.exe

Intune : 

RapportSetup-Full_x64.exe /s /p NOICONS=true NOBROWSER=true ACCEPTLICENSE=TRUE

GPO Powershell Computer Startup Script : 

If(!(Test-Path -path "C:\Program Files (x86)\Trusteer\Rapport\Console.ico"))

 {
 cd "\\local\to\installer\GroupPolicy\Trustee"
.\RapportSetup-Full_x64.exe /s /p NOICONS=true NOBROWSER=true ACCEPTLICENSE=TRUE

}
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to open the Company Portal as a user after Intune Enrollment shows the below 

 

2019-02-19_10-28-51.jpg

 

When clicking continue to Enroll you then get the error

The device is already registered in Intune

 

You will need to re-enroll the device using the following method

Delete ( or as much as you can ) :  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

Re-enroll PC as the correct User using the Access Work and School Method

 

If it asks you for the Server URL for MDM you can use this 

EnterpriseEnrollment-s.manage.microsoft.com

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I found an InTune pc having issues deploying software and PowerShell 

In the “Company Portal” Store App it showed there was a: Delay in Downloading files error

I then found there was no Management Extension Application Service installed as all

This can be manually downloaded and installed from here : 

https://prodamsub0102data.azureedge.net/IntuneWindowsAgent.msi 

After installing , software started Deploying

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

So you have installed an App silenty via the Intune App Packager 

You’ve used something like setup.exe /silent , as the application didn’t come with a .msi as the install command , how do you get the uninstall command?

You will need to install it first on a test pc

You will then need to run the following powershell to find the GUID of the program in {}

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

The uninstall command will be

msiexec.exe /x {GUID OF APPLICATION) /qb

 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)