Get Intune and Endpoint policies using PowerShell

Recently, I wrote an article about how to use PowerShell to connect to Intune and Microsoft Endpoint Manager. You’ll find it here:

Intune connection PowerShell script

Having a script that just connects to Intune doesn’t achieve a whole lot now does it? It’s now time to put that connection script to good use.

image

I’ve created another script, that once connected to Intune will allow you to display all the policy names you have configure in both Intune and Endpoint Manager as shown above. You can find that script here:

https://github.com/directorcia/Office365/blob/master/intune-policy-get.ps1

You’ll need to use my script to connect to Intune first. Once you have you can run the second script.

Although these scripts don’t do a huge amount, they will help you hopefully more easily connect to Intune with PowerShell and understand how you can also use PowerShell to work with information in both Intune and Endpoint Manager.

I’ll work on more advanced scripts for Intune and Endpoint that I’ll share in the future. However, this should hopefully get you up and running with automating device management in Microsoft 365.

New Intune connection PowerShell script

image

I’ve uploaded a new connection to Intune script that is freely available on my Github repository. You’ll find it here:

https://github.com/directorcia/Office365/blob/master/Intune-connect.ps1

image

Once it has been run you can run commands like:

get-autopilotprofile

as shown above.

To allow this script to operate correctly you’ll need the following two modules installed:

WindowsAutoPilotIntune

and

Microsoft.Graph.Intune

Both of these will be installed as part of my o365-setup.ps1 and o365-update.ps1 scripts, which are also freely available.

image

I’ve also added this Intune connection script to the connection selector script (c.ps1) in the same repository.

image

When intune-connect.ps1 runs you’ll be prompted for your credentials as normal.

image

Then you password and MFA if required.

image

Because connection to Intune via PowerShell now uses the Microsoft Graph, you’ll need to allow the above permissions as shown once.

SNAGHTML95fe247f

You’ll find those permissions, when you accepted them, in Azure AD, User, Applications as shown above inside the Azure portal. In there will be an application called Microsoft Intune PowerShell as shown above.

image

If you select that Microsoft Intune PowerShell and scroll down to the bottom of the screen that is displayed, you can select a link View granted permissions as shown above.

image

You will then see all the permission granted to that user for accessing the Graph. You can also remove these if you ever want to as well here.

Having access to Intune and Autopilot via PowerShell will make automating device management much easier.

Need to Know podcast–Episode 261

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-261-mark-oshea/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

I speak with a returning guest Mark O’Shea around the changes we’ve seen recently in Microsoft 365, especially around device management and Microsoft Endpoint Manager. The whole device deployment and management landscape is changing fast. It all used to be about Intune but now the focus is really Endpoint Manager and Mark helps us understand the why’s and what fors.

I’ve also got a swag of Microsoft Cloud news to share with you to bring up to date with the latest happenings.

As always, thanks for being a subscriber and don’t hesitate to share what I do with others.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Resources

@intunedin

Intunedin.net

@directorcia

What’s New with Microsoft 365 | November 2020 [VIDEO]

What’s New in Microsoft Teams | November 2020

Teams Breakout rooms go GA

Microsoft Edge v.88: Deprecate support for FTP protocol

Microsoft Edge v.88: Adobe Flash support will be removed

Microsoft Edge v.88: Alerts if your passwords are found in an online leak

Add to OneDrive is generally available

Introducing the SharePoint Success Site – Drive adoption and get the most out of SharePoint

Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

New datacenters for Sweden, Denmark, and Chile

CIAOPS Patron community

Need to Know podcast–Episode 260

We welcome back Brenton Johnson to speak about his success with Intune and how he’s using it to manage devices for his customers. Brenton shares his journey as well as some handy best practices during our chat.

Of course, there is also all the Microsoft Cloud news to get through, so sit back and enjoy this bumper episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-260-brenton-johnson/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

Uptake Digital

Power Apps Community plan

Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs

The Microsoft Cloud App Security (MCAS) Ninja Training is Here!

Extend data loss prevention to your devices with Microsoft Endpoint Data Loss Prevention, now generally available

It’s Time to Hang Up on Phone Transports for Authentication

See how to easily keep tabs on your Azure Sentinel ingestion costs

What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel

Microsoft’s Cloud PC: Leak reveals new details on upcoming Azure-powered remote desktop

What’s New in Microsoft Teams | October 2020

The definitive guide to Productivity Score

Need to Know podcast–Episode 259

FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about some automation options that are available in the Microsoft Cloud.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-259-baselines/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

FAQ 20

@directorcia

Use security baselines to configure Windows 10 devices in Intune

Preset security policies in EOP and Microsoft Defender for Office 365

CIAOPS Patron Community

Intune Data Collection Policy Error 0x87d1fde8

State = error

State Details = -2016281112 (Remediation failed)

image

It all started when I was checking my Intune Configuration policies and I found that all of a sudden I have a new policy called Intune data collection policy as shown above, that I didn’t created. Worse, it had errors!

image

When I looked at a specific device that was affected, as shown above, I could see two errors on the device. One was from a user designated as System account, which was also somewhat puzzling.

image

Digging further I found that the State was Error and the State details were -2016281112 (Remediation failed) as you can see above.

image

At the most granular level, I found the Error code was 0x87d1fde8 as shown above.

image

It turns out that the Intune data collection policy gets created when you use Endpoint Analytics as shown above.

image

This gives you some really nice reports as shown above on your Windows devices. You can read more about it here:

What is Endpoint Analytics?

I had now solved where the mystery Intune data collection policy came from and after much research it turns out that the device errors are because of licensing as you can read here:

Licensing Prerequisites

which says:

Endpoint analytics is included in the following plans:

Proactive remediations also require one of the following licenses for the managed devices:

  • Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)

  • Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)

  • Windows Virtual Desktop Access E3 or E5

The error I was seeing was due to those machines only being Windows 10 Pro, NOT Win 10 Enterprise! Endpoint Analytics currently only works with Windows 10 Enterprise licensed devices.

Once I had changed the Intune data collection policy to exclude the Windows 10 Pro machines the errors went away, as did the duplicate System account as well.

Hopefully, Microsoft will consider extending Endpoint Analytics to Windows 10 Pro machines as well, but for now you’ll need to exclude them from any Intune data collection policy if you don’t want errors in Endpoint Manager.

Need to Know podcast–Episode 257

FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about some automation options that are available in the Microsoft Cloud.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-257-windows-autopilot/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

FAQ 18

@directorcia

Modern Device Management – Part 7

CIAOPS Patron Community

Modern Device Management with Microsoft 365 Business Premium–Part 9

Previous parts in this series have been:

Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1

Intune MDM – Modern Device Management with Microsoft 365 Business Premium – Part 2

Intune MAM – Modern Device Management with Microsoft 365 Business premium – Part 3

Endpoint Manager – Modern Device Management with Microsoft 365 Business Premium – Part 4

Baselines – Modern Device Management with Microsoft 365 Business Premium – Part 5

Deployment – Modern Device Management with Microsoft 365 Business Premium – Part 6

Autopilot admin – Modern Device Management with Microsoft 365 Business Premium – Part 7

Autopilot endpoint – Modern Device Management with Microsoft 365 Business Premium – Part 8

In part 3 I talked about Mobile Application Management (MAM) and in the last part, I talked about Windows deployment using Autopilot, now it is time to look at deploying applications to devices via Endpoint Manager.

image

This tasks will be accomplished via the All apps option inside the Apps menu in Microsoft Endpoint Manager as shown above.

image

Here you’ll see a list of existing applications, but what you’ll typically need to do is select Add from the menu at the top to add a custom application.

image

You’ll now need to select an app type, as you can see above, from the list that appears. Because we are dealing with applications across a wide range of platforms, you need to create a deployment policy for each app on each platform.

image

In this case, I’ll go with an application from the iOS store as shown above, just to keep things simple.

image

I’ll then need to select the link, as shown above, to Search the App Store for the desired application. Note that it doesn’t necessarily have to come from the store, but it is easier if it does.

image

Here, I’ll locate Microsoft Whiteboard as shown above and select it.

image

The details of the app are now populated as shown above. You can make any changes here you wish. Note, I have elected to feature this app in the Company Portal as well.

image

Next, I can target that application to be Required by users and or devices, which I have done as shown above. However, you see that it is possible to just make the application available (i.e. optional) for enrolled and non-enrolled devices as well as being able to uninstall the application if present.

image

You can now review the application settings and then press the Create button to complete the policy process.

image

In a short amount of time the device will process that policy as seen above. Here the user will be prompted that a required application will be installed. Press Install on device to continue.

image

The application will be installed.

image

The application is now ready for use on the device.

image

If you now look back at the All Apps area, as shown above, you should see the app that was just configured for deployment.

image

If you select this entry and then select Device install status, you should see a confirmation that the Status is installed as shown above.

image

If you take a look inside the Intune Company Portal App, you see the app is featured as shown above. The application can now be installed directly from here as well if needed.

image

To configure the settings for applications that are deployed, navigate to the the App configuration policies option as shown above and select the Add button that appears on the right.

image

Here, I will select Managed devices from the drop down menu that appears.

image

To keep things simple, I’ll choose to configure the Outlook app for iOS. This is because there are many different ways to configure applications, especially if they are not from Microsoft or not common apps like Outlook, Word, Excel, etc.

In this case, you need to click the Select app at the bottom of the page as shown.

image

Select the Outlook option from the menu that appears as shown.

image

Because this a ‘well-known’ app, I select Use configuration designer in the Configuration settings format field as shown. This presents a number of options I can now configure for that application.

image

You’ll then need to allocate this application configuration policy as shown above. Again, to keep this example simple, the option for All users and all devices has been selected but you can get more granular if you wish.

image

You can now Review and Create the policy.

image

The policy should then appear in the list of App configuration policies as shown above. You can select the policy name at any time to return to editing the policy.

image

The main take away is that you can use Endpoint Manager to create deployment and configuration policies for the different applications on the different platforms and apply them quickly and easily. As shown above, this also extends to granular configuration of the Office suite of apps.

It is important to remember that there can be a lot to configure here if you consider individual apps on individual platforms, so be prepared for some set up initially. But, once complete, deployment and configuration going forward across all platforms is easy. The main benefit is that both deployment and configuration can be done directly across the Internet for both enrolled and non-enrolled devices give good management of devices in the environment.

Modern Device Management with Microsoft 365 Business Premium – Part 10