Background Back in 2022, after a lot of testing, I developed a way to install any machine wide installer in SYSTEM context using WinGet . For the most part this worked great, however I noticed that if I deployed an application targeted to a device group, the application would not reliable install during autopilot / OOBE. This is because the DesktopAppInstaller UWP appxpacakage needs to be installed under a user account before WinGet is available to use.

Premise In an effort to help those affected by the massive outage caused by past Friday’s Crowdstrike Falcon update debalcle, I whipped up the following script. This script will export a list of all devices that are Entra ID joined or hybrid joined and any bitlocker keys present. This uses the Microsoft Graph PowerShell SDK, and the ImportExcel module to connect to Graph, retrieve the device list and export into an Excel spreadsheet in the root of your user profile.

GDAP Partner Access With M365 PowerShell Modules We can utilize our partner delegated access to authenticate to clients directly without the need to use an admin account. We can authenticate as ourselves with delegated access. Pre-requisites It is highly recommended to use PowerShell 7+ when using any of the following PowerShell modules. Microsoft has ceased all development on Windows PowerShell (5.1 the “blue” window). All current and future focus is on the cross-platform PowerShell core.

Microsoft relecently released the new Microsoft Store integration for Intune . The new integration allows admins to easily search the store and deploy traditional APPX/UWP packages as well as a limited number of new Win32 app packages. WinGet (the Windows package manager) is the technology behind this new experience. This new experience greatly simplifies application deployment through Intune and is intended to replace the Microsoft Store for Business which will be retired in the first half of next year.

The Why I often find the need to gather and extract data from various areas M365 for auditing or for project planning. I had the idea of putting together a PowerShell module containing wrapper functions for some of the most common reports I and colleagues ask for. I wanted to make the commands easy to discover and easy to use. I would like to introduce the M365.Report.Tools PowerShell module! What can it do?

The Why I often find the need to gather and extract data from various areas M365 for auditing or for project planning. I had the idea of putting together a PowerShell module containing wrapper functions for some of the most common reports I and colleagues ask for. I wanted to make the commands easy to discover and easy to use. I would like to introduce the M365.Report.Tools PowerShell module! What can it do?

I am proud to introduce the PowerShell module IntuneEndpointTools. This is the first PS module I have published to the PowerShell gallery. IntuneEndpointTools contains a set of tools for managing and diagnosing Intune MDM on Windows endpoints designed with Intune support staff in mind. Easily perform diagnostic/troubleshooting operations such as getting the MDM diagnostic report, full diagnostic package, forcing a full sync to Intune, forcing reprocessing of assigned applications, and more!

The Why In a previous article , I demonstrated how to deploy applications to Intune using WinGet . I recieved a request to demonstrate how to use WinGet to update applications, and more importantly, how to run this on a schedule to keep applications updated. Since then, I found a really handy PowerShell wrapper module for WinGet called WinGetTools by Jeffrey Hicks . I made a small contribution to this module to allow it to work running under SYSTEM context.

Microsoft has announced the retirement of Business Voice licensing . If your tenant is still using Business Voice with Calling Plan or Business Voice without Calling Plan, you will need to switch to the new equivalent Teams Phone plan. If you take a look at the Microsoft doc linked above, there are examples for how to update the licenses on bulk, however it is baffling Microsoft chose to demonstrate using the Azure AD PowerShell module, when the licensing portion of that module is slated to be retired as of today (6/30).

Problem signs Outlook refuses to load, or a sign in window loops, opening and closing quickly. Outlook refuses to connect or send / recieve mail. The Windows store refuses to open. These are the initial symptoms I have seen when the AAD token broker ‘breaks’ for lack of a better term. Event ID 1098 will be logged repeatedly in the Microsoft-Windows-AAD/Operational event log. The fix Microsoft has a couple troubleshooting articles on event 1098 Event 1098 Cannot Create New Profiles and Event 1098 Error 0xcaa5001c .

About 2 years ago, I configured NDES and SCEP for a client that was moving all of their workstations to AzureAD join only. NDES and SCEP work together to provide certificate enrollment for AzureAD only joined devices for authentication with Wi-Fi / VPN etc. This was the Microsoft techcommunity article I followed to get this configued. Fast foward to May 2022, in typical Microsoft fashion, a patch was released to fix a security vulnerability to “address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request.

In a previous article , I demonstrated how to export a license report for all users withe the ‘friendly’ license names using the AzureAD PowerShell module. Since then, Microsoft has announced the coming retirement of the AzureAD API (and assocaiated PowerShell modules). You should be migrating all scripts over to using the Microsoft Graph PowerShell SDK Here I will provide a sample script to demonstrate how to export a license report for all users in Azure AD utilizing the Microsoft Graph.

Premise If you use Windows long enough, eventually you will run into a broken user profile. Sometimes its the start menu that busted, or the Windows store wont open etc. If the typical recommendations of sfc / dism / re-register appx packages with PowerShell fails to remedy the issue, see if the issue is isolated to the user profile. Log into another Windows user account and see if the issue persists.

Premise There are times when I encounter a situation where I want to gather some data from workstations and store it in a spreadsheet / table ect. for tracking purposes. Recently I was working with a client to deploy a cloud printing solution. The on prem print environment was somewhat complex with multiple shared printers some of which were locked down to AD security groups. I needed a way to get a pre-deployment printer inventory for each workstation, then compare a post deployment inventory.

What is an API anyway? API stands for “Application Interface”. In simplest terms, APIs are services that bridge and allow two systems to interact. When we are talking about web services, such as those in M365, API usually refer to a REST API. I like this explanation from AWS: API architecture is usually explained in terms of client and server. The application sending the request is called the client, and the application sending the response is called the server.

Setup BYOD Enrollment In part 1 , we explored how to setup a macOS virtual machine for testing. Now lets look at actually configuring Intune. The first thing we need to do is get an Apple MDM push certificate. Navigate to endpoint.microsoft.com < Devices < Enroll Devices < Apple Enrollment. Download the CSR. Follow the link “Create your MDM Push Certificate” Sign into your Apple ID (or create one if you do not have one) Click create certificate.

Ever since the WinGet package manager was announced, I wanted to find ways to leverage the package manager to simplify deploying software to endpoints. After doing some research and testing, I found that WinGet was unfortunately not designed to be run in SYSTEM context. It was designed to be run under a user account. There is an open issue on GitHub currently and many admins, myself included, would really like WinGet to be designed with enterprise use in mind.

Premise One of my clients has an Apple only environment. The client was previously managed with Jamf. Jamf is a great MDM platform for Apple devices and works really well however there are some downsides. First, the cost of Jamf is quite high, also while Jamf does support M365 condtional access and SSO with M365, it requires a bit more configuration than Intune does. My client was already paying for Enterprise mobility and Security licensing through M365 with Defender ATP for Endpoint so why not take advantage of the included Intune licensing?

I thought it would be a fun project to create a PowerShell function which would get the Weather forecast for a specified location. I started searching online for free Weather REST APIs which I could query for the forecast. I found api.weather.gov which has a completely free and open REST API with complete documentation API Web Service (weather.gov). Checking the documentation, the REST endpoint to query the forecast is https://api.weather.gov/gridpoints/{office}/{grid X},{grid Y}/forecast.

I was recently tasked with exporting a report for a client that detailed all users, their location and license assignment in Office 365. I knew the best way to get the job done was by writing a PowerShell script. I did a quick search online and found lots of examples, however all the examples I found were using the deprecated “Microsoft Online” / MSOL PS module. I wanted to use the Azure AD module instead so I played around a bit to get the output I wanted.

If there is one thing I love it is automation. If you are a systems administrator, you have probably at some point needed to create some reports using PowerShell. Usually you would do this manually and export this to a CSV them hand off the report in an email or through SharePoint ect. But how can we automate this process? While you could run PowerShell scripts as a scheduled task to fire off an email which is quick and dirty.

In today’s world of COVID with so many people working from home, more and more organizations are moving to cloud services for file storage. It used to be quite a common practice, at least in my experience to enable folder redirection for users on-prem. Trying to dismantle folder redirection, especially when our users are working remotely can prove to be a challenge. If you have ever attempted to remove a folder redirection GPO, you have undoubtedly discovered folder redirection policies only apply (and remove) at startup/user logon.

Document Redirection can be a serious PITA In today’s world of COVID with so many people working from home, more and more organizations are moving to cloud services for file storage. It used to be quite a common practice, at least in my experience to enable folder redirection for users on-prem. Trying to dismantle folder redirection, especially when our users are working remotely can prove to be a challenge. If you have ever attempted to remove a folder redirection GPO, you have undoubtedly discovered folder redirection policies only apply (and remove) at startup/user logon.

The Problem So you want to move your files to SharePoint, great! But your users don’t understand sharepoint, don’t wanna learn sharepoint and just want their file explorer experience. There are a few ways we can go about syncing libraries for our users. We can set a group policy or Intune configuration to automatically sync a SharePoint library however there are some big caveats with this such as a 250~ url character limit.

The Problem So you want to move your files to SharePoint, great! But your users don’t understand sharepoint, don’t wanna learn sharepoint and just want their file explorer experience. There are a few ways we can go about syncing libraries for our users. We can set a group policy or Intune configuration to automatically sync a SharePoint library however there are some big caveats with this such as a 250~ url character limit.