Managing local admins on Azure AD Joined devices

We've been able to do this for quite some time. We've been able to add individual users as local administrators on Azure AD joined devices. More recently this has become a lot easier. We can now use Azure AD groups to manage this. With Azure AD Premium P1 or P2, you can create a role-assignable group and assign the Device Administrator roles to the group.

There are some additional considerations. Firstly, you can only configure a group to be role-assignable when you create the group. You cannot change this afterwards.

I've created a group called "Local admins test 1". See the configuration "Azure roles can be assigned to the group". I've toggled this to yes.

We're told that we cannot change this setting after the group is created.

Next I've created a group called "Local admins test 2". This time I didn't select that Azure roles can be assigned to the group.

You can see that this setting cannot be turned off after the group has been created.

It can't be turned on either.

Now when I add an assignment to the Device Administrators role, only "Local admins test 1" is available for selection.

Note that you must be a Privileged Role Administrators or Global Administrator to create the group in the first place. 

If you are not then the "Azure roles can be assigned to the group" option is not available (you can't even see it).

Finally this option is only supported for Assigned groups.

Just for kicks I've selected Dynamic User.

However it automatically changes to Assigned and greyed out, once I toggle the option to Yes. 

I hope this helps. Until next time.......

Tips for onboarding servers to Defender for Endpoint

This week is all about Microsoft Defender for Endpoint (MDE). It's very easy to onboard workstations (Windows 10/11) to MDE. Intune does that automatically for you.

Navigate to Endpoint Security > Endpoint detection and response, create the policy and assign to all devices. 

There is a little more to do for servers as they are not supported for enrollment in Intune.

First, how would you know if your server was already onboarded to MDE? Obviously you could search for the server in the Microsoft 365 Defender portal, but how can you tell on the server itself?

Look at the services. If the Windows Defender Advanced Threat Protection Service (Service name: Sense) is Automatic and Running, then the server has been onboarded. The screenshot above shows a server that has not been onboarded. The behaviour and the onboarding steps are slightly different depending on the server operating system.

Note: when you use Microsoft Defender for Cloud to monitor servers, they are automatically onboarded to Defender for Endpoint. For this blog post, I'm assuming you are not using Defender for Cloud. 

Windows Server 2012R2

2012R2 servers do not include Defender Antivirus or Defender for Endpoint natively. You must install the unified Defender solution on these servers.

Onboarding steps are as follows:

• Install the unified Defender client (this is downloaded from MDE portal). This installs Microsoft Defender Antivirus and the EDR sensor. It creates the Windows Defender Advanced Threat Protection Service. The service is not started and is set to Manual.
• Install the unified Defender client update package (KB5005292 - download here). This updates the EDR sensor, which communicates with MDE.
• Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.

Windows Server 2016

2016 servers natively include Defender Antivirus (as long as the Defender feature is added) but not Defender for Endpoint. You must install the unified Defender solution on these servers.

Onboarding steps are as follows:

• Verify that the Defender feature is added and updated. Defender must also be turned on.
• Run updateplatform hotfix (download here from Microsoft Malware Protection Center (MMPC)). This updates Defender to the latest version.
• Install the unified Defender client (this is downloaded from MDE portal). This installs the EDR sensor. It creates the Windows Defender Advanced Threat Protection Service. The service is not started and is set to Manual.
• Install the unified Defender client update package (KB5005292 - download here). This updates the EDR sensor, which communicates with MDE.
• Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.

You will get this error if you don't update the platform before you install the unified Defender client.

Please update Windows Defender Antivirus (KB4052623) to the latest version.

Windows Server 2019 (and 2022)

These servers already include Defender AV and the EDR sensor. The Windows Defender Advanced Threat Protection Service already exists but is not running and is set to Manual.

There is one onboarding step:

• Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.

The steps above can be automated using your server management solution. 

You've now onboarded the server and the Windows Defender Advanced Threat Protection Service is running. Where can you see the onboarding details?

You need to look in the registry. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SenseCM. Here you can see the Tenant ID and enrollment status. You should see EnrollmentStatus = 1.

I hope this helps. Until next time......

Intune app install failed - an app update is available 0x87D13B9F

I'm working on an iOS management solution for a customer this week involving the integration of Apple Business Manager and Intune. I also integrated Apple VPP with Intune for the deployment of volume purchased apps. Everything was working well until I noticed that some apps were failing. Microsoft Teams and Microsoft OneDrive has reported as Failed (big red icon) in the Intune console, with this error:

"An app update is available. Available apps can be updated using Company Portal and required apps will auto-update on device sync. (0x87D13B9F)".

This wasn't quite right. The apps had installed, but Intune was telling me that there was a new version available. I didn't like the red "failed" icon so I wanted to fix it.

In Apple Business Manager I had a look at Teams and could see that a new version had just been published.

I had configured the VPP token in Intune to automatically update apps, so why did it fail? You can find the answer in the Microsoft docs. 

"By default, Intune syncs with the Apple Business Manager service twice a day".

Therefore the latest version of the app wasn't yet available in Intune. I could just have waited for the automatic sync and this would have just resolved itself. 

A manual sync of the VPP token does the trick.

The new version was automatically installed and reported successful.

This Microsoft doc has further information. 

"When updating a VPP app, it can take up to 24 hours for the device to receive the updated VPP app".

This is more an annoyance than an error, especially when you are doing customer demonstrations, but it is easily solved. 

I hope this helps. Until next time.....

Remove pre-installed HP software during Autopilot

This was a task I was given by a customer recently. They wanted all the pre-installed HP software removed when provisioning HP ProBook 450 G8 laptops using Autopilot and Intune. As I like to tell customers, "if you can script it you can do it with Intune".

This was the list:

1. HP Connection Optimizer
2. HP Documentation
3. HP ICS
4. HP Notifications 
5. HP Security Update Service
6. HP Support Assistant
7. HP Wolf Security

1. HP Connection Optimizer

This one is a little tricky and requires the help of an answer file. I got a little help from Reddit

Create an InstallShield answer file. Copy the text to Notepad and save as .iss file (I called it HPConnOpt.iss)

[InstallShield Silent]

Version=v7.00

File=Response File

[File Transfer]

OverwrittenReadOnly=NoToAll

[{6468C4A5-E47E-405F-B675-A70A70983EA6}-DlgOrder]

Dlg0={6468C4A5-E47E-405F-B675-A70A70983EA6}-SdWelcomeMaint-0

Count=3

Dlg1={6468C4A5-E47E-405F-B675-A70A70983EA6}-MessageBox-0

Dlg2={6468C4A5-E47E-405F-B675-A70A70983EA6}-SdFinishReboot-0

[{6468C4A5-E47E-405F-B675-A70A70983EA6}-SdWelcomeMaint-0]

Result=303

[{6468C4A5-E47E-405F-B675-A70A70983EA6}-MessageBox-0]

Result=6

[Application]

Name=HP Connection Optimizer

Version=2.0.18.0

Company=HP Inc.

Lang=0409

[{6468C4A5-E47E-405F-B675-A70A70983EA6}-SdFinishReboot-0]

Result=1

BootOption=0 

I copied the answer file to Azure storage and generated a shared access signature so that the file could be downloaded from anywhere.

Next is the script (UninstallHPConnOpt.ps1)

invoke-webrequest -uri "https://xxx.blob.core.windows.net/autopilot-scripts/HPConnOpt.iss?MySharedAccessSignature" -outfile "C:\Windows\Temp\HPConnOpt.iss"

&'C:\Program Files (x86)\InstallShield Installation Information\{6468C4A5-E47E-405F-B675-A70A70983EA6}\setup.exe' @('-s', '-f1C:\Windows\Temp\HPConnOpt.iss')

The script downloads the answer file and copies to C:\Windows\Temp. It then executes setup.exe for HP Connection Optimizer and calls the answer file. This uninstalls the app.

To deploy the solution via Intune, copy the script and answer file to a folder. Then create a Win32 app which results in a .IntuneWin file containing both files.

2. HP Documentation

This one is a bit more straightforward. The script sets the location to "C:\Program File\HP\Documentation" and then runs the uninstall command.

Set-location "C:\Program Files\HP\Documentation"

.\Doc_uninstall.cmd

Upload the script to Intune and assign to a group.

3. HP ICS

They're getting easier

$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'ICS'

$Prod.UnInstall()

Upload the script to Intune and assign to a group.

4. HP Notifications

This one is the same format.

$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP Notifications'

$Prod.UnInstall()

5. HP Security Update Service

Same format again.

$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP Security Update Service'

$Prod.UnInstall()

6. HP Support Assistant

This one is a little different. It's an appx installation. Nicolaj Andersen has an excellent script for removing unwanted built-in appx apps during provisioning, except those that you explicitly whitelist. The script will remove the HP Support Assistant.

7. HP Wolf Security

Same format as before

$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP Wolf Security'

$Prod.UnInstall()

These are the settings you need when you are deploying your scripts with Intune.

I hope this helps you and saves you time if have the same task. 

Until next time......

 

Silently install ten top Win32 apps with Intune

We've heard a lot about Winget and the Windows Package Manager recently. However we'll still need to be able to deploy Win32 apps via Intune for the foreseeable future, especially during an Autopilot process. This blog post isn't about using the Win32 Content Prep tool to convert apps into the intunewin format. It's about the research I carried out to understand how to install ten top apps (with a focus on the financial sector) silently and to detect them afterwards. This research can take a while so I thought it might save others some time.

Edit the installation command with your executable name. Note that I've used the presence of a file as my detection method for many of the apps. You can be more specific with this rule by configuring a file version if that's what you need.

Bloomberg Terminal:

Provides coverage of markets, industries, companies and securities across all asset classes.

Download the latest “Bloomberg Terminal” installer 

• Silent install: sotr102_5_80.exe /s maindir=“C:\blp\” conn_type=Private
• Detection (file or folder exists): C:\blp\Wintrv\wintrv.exe

Refinitiv FXall:

Formerly Reuters, a complete end-to-end solution for your FX trades

There is one additional consideration with this application. A response file must be generated in order to install it silently. Generate the response file by running this command (as administrator):

Refinitiv-FXall-Setup.exe -r installer.properties

The installation wizard launches. Follow the wizard to the end. This installs the application and creates the response file. This file must be saved in the same folder as the EXE when the app is being converted to a .Intunewin file.

• Silent install: Refinitiv-FXall-Setup.exe -i silent
• Detection (file or folder exists): C:\Program Files\Refinitiv\Refinitiv FXall_\7.9.0.53\Refinitiv FXall_.exe

Anaconda:

Anaconda Distribution is the world’s most popular open-source Python distribution platform. Download 

• Silent install: Anaconda2-4.2.0-Windows-x86_64.exe /InstallationType=AllUsers /S /D=C:\Program Files\Anaconda2
• Detection (file or folder exists): C:\Program Files\Anaconda2\pythonw.exe

Morning Star Direct:

Morning Star Direct is an investment & portfolio analysis software, which gives you the tools to build strategies and products.

Morning Star Direct is a pretty straightforward installation as it is MSI based. However there are two additional consideration here.

• Firstly, the Morning Star Direct application forces a reboot, which happens automatically and without warning. We have to use the parameter REBOOT=ReallySuppress to prevent that. A reboot is still required to complete the installation but the user is notified to restart.
• Secondly, there are two installations.
• The Morning Star Direct prerequisites can be downloaded from here 
• The Morning Star Direct application can be downloaded here 
• The Prerequisites app has to be added as a dependency for the Morning Star Direct application and is installed first.

• Silent install: msiexec /i "prerequisite.msi" /qn
• Detection : MSI {7FA41A52-1D83-4C2D-A432-475AA3F7881B}
• Silent install: msiexec /i "direct.msi" /qn REBOOT=ReallySuppress
• Detection: MSI {D9C2A982-D2E0-4E83-B8FD-8E7B8160EBA2}

SQL Server Management Studio:

This app was developed by Microsoft and is used for configuring, managing, and administering all components within Microsoft SQL Server. It can be downloaded here

• Silent install: SSMS-Setup-ENU.exe /quiet
• Detection (file or folder exists): C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe

Visual Studio Code:

Visual Studio Code is a lightweight but powerful source code editor. Download

• Silent install: VSCodeSetup-x64-1.74.2.exe /silent
• Detection (file or folder exists): C:\Program Files\Microsoft VS Code\Code.exe

Power BI Desktop:

Get a 360° view of your business data and quickly connect, shape, visualize, and share data insights through Power BI. Download

• Silent install: PBIDesktopSetup_x64.exe -s ACCEPT_EULA=1
• Detection (file or folder exists): C:\Program Files\Microsoft Power BI Desktop\bin\PBIDesktop.exe

Adobe Reader:

This app can be downloaded here

• Silent install: AcroRdrDC2200320258_en_US.exe /sALL /rs /msi EULA_ACCEPT=YES
• Detection (file or folder exists): C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Sophos Antivirus:

This app can be downloaded here

• Silent install: SophosSetup.exe --quiet
• Detection (file or folder exists): C:\Program Files\Sophos\Sophos UI\Sophos UI.exe exists

Remote Help:

Remote help is a premium add-on application that works with Intune and enables your users to get assistance when needed over a remote connection. 

Remote help must be installed on each device before that device can be used to participate in a remote help session. You can download the latest version of remote help directly from Microsoft 

• Silent install: remotehelpinstaller.exe /quiet acceptTerms=1
• Detection (file or folder exists): C:\Program Files\Remote help\RemoteHelp.exe

-----------------------------------------------------------------------------------------------------------------------

That's it, that was the ten apps that I recently had to deploy via Intune for a financial services customer. I hope you find it handy if you need to work with one of them. It was difficult to get this information for some of the apps as the enterprise installation documentation was only available with a support contract.

Until next time.....