Install Software With WinGet As System (UPDATE 2024)
Background Back in 2022, after a lot of testing, I developed a way to install any machine wide installer in SYSTEM context using WinGet
. For the most part this worked great, however I noticed that if I deployed an application targeted to a device group, the application would not reliable install during autopilot / OOBE. This is because the DesktopAppInstaller UWP appxpacakage needs to be installed under a user account before WinGet is available to use.
The New Microsoft Store Experience in Intune
Microsoft relecently released the new Microsoft Store integration for Intune
. The new integration allows admins to easily search the store and deploy traditional APPX/UWP packages as well as a limited number of new Win32 app packages. WinGet (the Windows package manager)
is the technology behind this new experience.
This new experience greatly simplifies application deployment through Intune and is intended to replace the Microsoft Store for Business which will be retired in the first half of next year.
Intune Endpoint Tools PowerShell Module
I am proud to introduce the PowerShell module IntuneEndpointTools. This is the first PS module I have published to the PowerShell gallery.
IntuneEndpointTools contains a set of tools for managing and diagnosing Intune MDM on Windows endpoints designed with Intune support staff in mind. Easily perform diagnostic/troubleshooting operations such as getting the MDM diagnostic report, full diagnostic package, forcing a full sync to Intune, forcing reprocessing of assigned applications, and more!
Keep Applications Updated with WinGet and Proactive Remediations
The Why In a previous article , I demonstrated how to deploy applications to Intune using WinGet . I recieved a request to demonstrate how to use WinGet to update applications, and more importantly, how to run this on a schedule to keep applications updated. Since then, I found a really handy PowerShell wrapper module for WinGet called WinGetTools by Jeffrey Hicks
. I made a small contribution to this module to allow it to work running under SYSTEM context.
KB5014754 Certificate Authentication Woes with NDES/SCEP and Intune
About 2 years ago, I configured NDES and SCEP for a client that was moving all of their workstations to AzureAD join only. NDES and SCEP work together to provide certificate enrollment for AzureAD only joined devices for authentication with Wi-Fi / VPN etc. This was the Microsoft techcommunity article
I followed to get this configued.
Fast foward to May 2022, in typical Microsoft fashion, a patch
was released to fix a security vulnerability to “address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request.
Get Data from workstations and send to an Excel Table for free
Premise There are times when I encounter a situation where I want to gather some data from workstations and store it in a spreadsheet / table ect. for tracking purposes. Recently I was working with a client to deploy a cloud printing solution. The on prem print environment was somewhat complex with multiple shared printers some of which were locked down to AD security groups. I needed a way to get a pre-deployment printer inventory for each workstation, then compare a post deployment inventory.
Intune for macOS Part 2 - Setup BYOD enrollment and Configure macOS Profiles
Setup BYOD Enrollment In part 1
, we explored how to setup a macOS virtual machine for testing. Now lets look at actually configuring Intune. The first thing we need to do is get an Apple MDM push certificate.
Navigate to endpoint.microsoft.com < Devices < Enroll Devices < Apple Enrollment. Download the CSR. Follow the link “Create your MDM Push Certificate” Sign into your Apple ID (or create one if you do not have one) Click create certificate.
Intune Deploy Software with WinGet
Ever since the WinGet package manager was announced, I wanted to find ways to leverage the package manager to simplify deploying software to endpoints. After doing some research and testing, I found that WinGet was unfortunately not designed to be run in SYSTEM context. It was designed to be run under a user account. There is an open issue on GitHub currently and many admins, myself included, would really like WinGet to be designed with enterprise use in mind.
Configuring Intune for macOS part 1 - Setup a macOS VM
Premise
One of my clients has an Apple only environment. The client was previously managed with Jamf. Jamf is a great MDM platform for Apple devices and works really well however there are some downsides. First, the cost of Jamf is quite high, also while Jamf does support M365 condtional access and SSO with M365, it requires a bit more configuration than Intune does. My client was already paying for Enterprise mobility and Security licensing through M365 with Defender ATP for Endpoint so why not take advantage of the included Intune licensing?
Export O365 User License Report with friendly names
I was recently tasked with exporting a report for a client that detailed all users, their location and license assignment in Office 365. I knew the best way to get the job done was by writing a PowerShell script.
I did a quick search online and found lots of examples, however all the examples I found were using the deprecated “Microsoft Online” / MSOL PS module. I wanted to use the Azure AD module instead so I played around a bit to get the output I wanted.
Collect data in an Azure Table with Power Automate and PowerShell
If there is one thing I love it is automation. If you are a systems administrator, you have probably at some point needed to create some reports using PowerShell. Usually you would do this manually and export this to a CSV them hand off the report in an email or through SharePoint ect. But how can we automate this process?
While you could run PowerShell scripts as a scheduled task to fire off an email which is quick and dirty.
Remove Document Redirection Policies over VPN
In today’s world of COVID with so many people working from home, more and more organizations are moving to cloud services for file storage. It used to be quite a common practice, at least in my experience to enable folder redirection for users on-prem. Trying to dismantle folder redirection, especially when our users are working remotely can prove to be a challenge. If you have ever attempted to remove a folder redirection GPO, you have undoubtedly discovered folder redirection policies only apply (and remove) at startup/user logon.
Sync SharePoint Libraries with PowerShell
The Problem So you want to move your files to SharePoint, great! But your users don’t understand sharepoint, don’t wanna learn sharepoint and just want their file explorer experience.
There are a few ways we can go about syncing libraries for our users. We can set a group policy or Intune configuration to automatically sync a SharePoint library however there are some big caveats with this such as a 250~ url character limit.