Configure Autopilot Hybrid Azure-AD and ADDS Domain Join

Configure Autopilot Hybrid Azure-AD and ADDS Domain Join

Comments 3 comments

Prerequisites

Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization’s network. These addresses must be accessed using the SYSTEM context. If you are using Auto Pilot this will be accessed during the enrollment status part:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

To verify if the device is able to access the above Microsoft resources under the system account, you can use Test Device Registration Connectivity script.

Review AD DS UPN support for Hybrid Azure AD join

The table below provides details on support for on-premises AD UPNs in Windows 10 Hybrid Azure AD join

Type of on-premises AD UPN Domain type Windows 10 version Description
Routable Federated From 1703 release Generally available
Non-routable Federated From 1803 release Generally available
Routable Managed From 1803 release Generally available, Azure AD SSPR on Windows lockscreen is not
Continue...
Homeland Security’s Trusted Travelers API and PowerShell – Getting a Better Global Entry Interview Using PowerShell

Homeland Security’s Trusted Travelers API and PowerShell – Getting a Better Global Entry Interview Using PowerShell

Comments 3 comments

I am flying out of the country in February and I recently decided to enroll in TSA Pre-Check as well as Global Entry. With Global Entry you automatically get TSA Pre-Check, but Global Entry works for international flights as well and is only a few extra dollars more than TSA Pre-Check.

Once you get your application approved, the next step is to schedule an interview, which is essentially a 15-minute appointment where a customs officer ask you a few questions (like where you are going, when and why) and then take bio-metrics (fingerprint scans). The interview must be done in person at one of relatively few U.S. Customs and Border Protection locations, like an international airport, and you must schedule your interview within 30 days of getting your application approved (otherwise you have to resubmit your entire application). You are allowed to drop and pick up appointments if you find … Continue...

Backup and Restore your Intune Configuration using PowerShell

Backup and Restore your Intune Configuration using PowerShell

Comments 10 comments

I found this fantastic PowerShell module from jseerden that queries Microsoft Graph, and allows for cross-tenant Backup & Restore of your Intune Configuration. The Intune Configuration is backed up as JSON files in a given directory. The module allows an administrator to backup, restore and even compare different Intune backup sets.

Pre-Requisites

The module requires a total of 3 modules to be present, you can install them by running the following commands in an administrative PowerShell prompt:

AzureAD Module

  1. AzureAD (Install-Module -Name AzureAD)

MSGraphFunction Module

  1. MSGraphFunction (Install-Module -Name MSGraphFunctions)

IntuneBackupandRestore Module

The IntuneBackupandRestore PowerShell module is hosted on the PowerShell Gallery. You can install it by running the following command in an administrative PowerShell prompt:

Install-Module -Name IntuneBackupAndRestore

Connect to Microsoft Graph

Next, we will connect to Microsoft Graph using the “Microsoft Intune PowerShell” application in AzureAD, so you don’t need to create your own … Continue...

Office 365 Email Address Policies with Azure Automation

Office 365 Email Address Policies with Azure Automation

Comments 3 comments

Email address policies (EAP) define the rules that create email addresses for recipients. By setting up policies you can guarantee your users will have certain email address that follow the rules you have set in place. Unfortunately, in Office 365 Exchange Online there are no email address policies you can set for your users. In a larger organization where multiple people may be creating and editing users in Exchange Online, it’s possible that not all your users are following the address scheme you or your company has implemented. In this article I will leverage PowerShell and Azure RunBooks to make sure all of my users adhere to my companies EAP.

Setting up the Azure Automation Resources

In the next section I will go over what Azure resources we will be creating and what each one is responsible for. You can skip ahead to the configuration script below which will create … Continue...

Deploy Web Link Shortcuts to the Desktop and Start Menu Using Intune

Deploy Web Link Shortcuts to the Desktop and Start Menu Using Intune

Comments 9 comments

I am currently doing a Auto Pilot / Intune deployment and was asked how we could deploy web link shortcuts to the users desktop as well as the start menu. Currently when you do a web link app deployment in Intune it will only ‘install’ it in the users Start menu and not the users desktop. By leveraging PowerShell and Intune Configuration policies we can have it deploy to the start menu and the desktop.

During my initial search I came across this blog which was exactly what I was looking for but since I have OneDrive folder redirection it seemed to be having issues finding the desktop path, and I wanted to use any icons instead of the default chrome or edge icons.

Azure Blob and Custom Icons

For the shortcut you need to specify a url to a ICO file. To do this I set up cold Azure … Continue...

Post Notifications About Unused Office 365 Licenses to Teams using Azure Runbooks

Post Notifications About Unused Office 365 Licenses to Teams using Azure Runbooks

Comments 0 Comment

I have written several articles on using PowerShell to send alerts and notifications to Microsoft Teams, but up until now they were set up using only the task scheduler. As more and more companies move to the cloud I wanted to see how I could do cloud infrastructure alerting as well. In this article I am using an Azure RunBook to connect to my Office 365 tenant, parse my licenses, and return any that need reconciliation. If you get your Office 365 licenses from a CSP or any other kind of reseller, you may get charged for all of your licenses, applied or not. So it’s a good thing to make sure you don’t have any extra ones lying around.

Set Up the Azure Environment

Resource Group, Runbook and Automation Account Creation

I created a script that you can just change the variables for and it will create the following … Continue...

ChatOps: Setting up PoshBot for Microsoft Teams

ChatOps: Setting up PoshBot for Microsoft Teams

Comments 6 comments

PoshBot is a chat bot written in PowerShell and created by DevBlackOps. ‘It makes extensive use of classes introduced in PowerShell 5.0. PowerShell modules are loaded into PoshBot and instantly become available as bot commands.’1 PoshBot can do pretty much anything you configure it to do. You can have it create Azure servers, reset Active Directory passwords, create and modify help desk tickets, license Office 365 users, etc. ‘If you can write it in PowerShell, PoshBot can execute it.’

Important: PoshBot has some great documentation, make sure you bookmark and review it.

In this guide I will walk you through setting up PoshBot for Microsoft Teams. It’s a little more tedious than Slack (which is a few commands) but once you get it going it works flawless. Keep an eye out as I will be publishing more articles on different PoshBot plugins that I create which … Continue...

Configure Windows 10 Accent Color with Intune and PowerShell

Configure Windows 10 Accent Color with Intune and PowerShell

Comments 0 Comment

My last two articles showed you how you can set a computers desktop wallpaper and lock screen wallpaper without having Enterprise or Education by using a PowerShell script and Intune. Now I wanted to figure out how to configure the Windows accent color to also match my corporate branding.

Get Color Values

The first thing we need to do is to get the proper registry values for the color we want to use. For this I just set my local computer’s accent color to the color I wanted to apply to my target machines. You only need to do this one time, once you set the color you want and copy the keys you will not have to do it again.

Once you set the proper color, you will want to navigate to the following registry path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent

  • The fist key we want to look at is the AccentColorMenu key.
Continue...
Set Corporate Lock Screen Wallpaper with Intune for Non Windows 10 Enterprise or Windows 10 Education Machines

Set Corporate Lock Screen Wallpaper with Intune for Non Windows 10 Enterprise or Windows 10 Education Machines

Comments 37 comments

In my previous article I showed you how you can leverage PowerShell and Intune to set a computers wallpaper even if the OS was not Enterprise or Education. Currently, If you want to set the wallpaper or lock screen wallpaper via Intune Policies, you must be on either Enterprise or Education. In this article I will show you how you can leverage PowerShell and Intune, and set your own lock screen wallpaper no matter the version.

In my example I will use Intune to set the lock screen image of my end user machines to the following image:

First, we need to create a PowerShell script that will do the following:

  • Download the wallpaper
  • Store the wallpaper locally on the target machine
  • Set the lock screen wallpaper

In my example, I want to set my wallpaper as the following image: https://www.thelazyadministrator.com/wp-content/uploads/2019/07/nicewall.jpg, which will be named wallpaper_LazyAdmin.jpg and stored at … Continue...

Set Corporate Wallpaper with Intune for Non Windows 10 Enterprise or Windows 10 Education Machines

Set Corporate Wallpaper with Intune for Non Windows 10 Enterprise or Windows 10 Education Machines

Comments 4 comments

By default, there is an Intune device configuration property that can set a devices wallpaper (Profile Type: Device Restrictions > Personalization) BUT this is only applicable on devices running Windows 10 Enterprise and Windows 10 Education. Luckily, using PowerShell we can download a image from the web, save it locally, and set it as our users wallpapers.

First we need to create our PowerShell script. In PowerShell ISE I created the following script and saved it to my local machine

$RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP"


$DesktopPath = "DesktopImagePath"
$DesktopStatus = "DesktopImageStatus"
$DesktopUrl = "DesktopImageUrl"

$StatusValue = "1"


$url = "https://www.thelazyadministrator.com/wp-content/uploads/2019/07/nicewall.jpg"
$DesktopImageValue = "C:\MDM\wallpaper_LazyAdmin.jpg"
$directory = "C:\MDM\"


If ((Test-Path -Path $directory) -eq $false)
{
	New-Item -Path $directory -ItemType directory
}

$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $DesktopImageValue)



if (!(Test-Path $RegKeyPath))
{
	Write-Host "Creating registry path $($RegKeyPath)."
	New-Item -Path $RegKeyPath -Force | Out-Null
}


New-ItemProperty -Path $RegKeyPath -Name $DesktopStatus -Value $StatusValue -PropertyType DWORD -Force |
Continue...