Intune – SkoaNOW Technologies

SCRIPT to automatically create System restore points for Winodws devices

StephenOwusuAnsah — Mon, 09 Sep 2024 01:45:48 +0000

Content

Scripts to enable system restore or system protection
Script to add a registry value that allows creation of multiple restore points in a 24 hour period
Script to add a task schedule that creates a restore point automatically

Scripts To Enable System Restore Or System Protection

This can be done into ways; one is to wrap the powershell script in a batch script and the other is to use WMIC.exe to create a batch script
Powershell wrapped in batch script: PowerShell.exe -ExecutionPolicy Bypass -Command “Enable-ComputerRestore -Drive ‘C:'”
WMIC.exe batch script: C:\Windows\System32\wbem\WMIC.exe /namespace:\root\default Path SystemRestore Call enable “C:\”

Script To Add A Registry Value That Allows Creation of Multiple Restore Points In A 24 Hour Period

By default Windows operating system does not allow more than one restore point to be created within a 24 hour period. To overcome this limitation, you can use this batch script to add a registry value that allows more than one restore point to be created in a 24 hour period; reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore” /v SystemRestorePointFrequency /t REG_DWORD /d 0 /f

Script To Add A Task Schedule That Creates A Restore Point Automatically

Monthly Schedule: schtasks.exe /create /tn “Monthly Restore Point” /sc MONTHLY /d TUE /mo FIRST /st 10:00 /rl HIGHEST /ru “NT AUTHORITY\SYSTEM” /tr “PowerShell.exe -ExecutionPolicy Bypass -Command \”Checkpoint-Computer\” -Description \”AUTOMATIC-$(Get-Date -Format \”yyyyMMddHHmmss\”)\” -RestorePointType \”MODIFY_SETTINGS\””
Weekly Schedule: schtasks.exe /create /tn “Weekly Restore Point” /sc WEEKLY /d TUE /st 10:00 /rl HIGHEST /ru “NT AUTHORITY\SYSTEM” /tr “PowerShell.exe -ExecutionPolicy Bypass -Command \”Checkpoint-Computer\” -Description \”Weekly System Restore\” -RestorePointType \”MODIFY_SETTINGS\””
Daily Schedule: schtasks.exe /create /tn “Daily System Restore” /sc DAILY /st 09:00 /rl HIGHEST /ru “NT AUTHORITY\SYSTEM” /tr “PowerShell.exe -ExecutionPolicy Bypass -Command \”Checkpoint-Computer\” -Description \”AUTOMATIC-$(Get-Date -Format \”yyyyMMddHHmmss\”)\” -RestorePointType \”MODIFY_SETTINGS\””
tn=Task name; sc=schedule; d=Day; mo= st=Schedule time; rl=Run Level; ru=Run User; tr=Trigger

Combined Script for Daily Restore Point

@echo off

REM Enable System Protection or System Restore start /wait PowerShell.exe -ExecutionPolicy Bypass -Command “Enable-ComputerRestore -Drive ‘C:'”

REM Create Daily Restore Point
start /wait schtasks.exe /create /tn “Daily System Restore” /sc DAILY /st 09:00 /rl HIGHEST /ru “NT AUTHORITY\SYSTEM” /tr “PowerShell.exe -ExecutionPolicy Bypass -Command \”Checkpoint-Computer\” -Description \”AUTOMATIC-$(Get-Date -Format \”yyyyMMddHHmmss\”)\” -RestorePointType \”MODIFY_SETTINGS\””

REM Allow creation of multiple restore points in a 24 hour period
start /wait reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore” /v SystemRestorePointFrequency /t REG_DWORD /d 0 /f

Exit

If you are packaging this as a WIN32 app in Intune, you can set the detection rule using the presence of the “SystemRestorePointFrequency“registry value.

Deploy Android APK file in Intune

StephenOwusuAnsah — Fri, 23 Aug 2024 03:27:36 +0000

It is common knowledge among many Intune administrators that Line of Business (LOB) is the method for creating Android application using an APK file but this is only true for devices setup with the Targeted Platform as Android Device Administrator or Android Open Source Project (AOSP).
This means that LOB method cannot be used to package APK file for Android application deployment for Android Enterprise Personally-Owned Work Profile,Android Enterprise dedicated devices, Android Enterprise Fully Managed or Android Enterprise Corporate-Owned Work Profile; which is what most enterprise level organizations use.
To deploy the APK file successfully, you need to use Managed Google Play Private Store to make the available only in the Google Play store associated with the user’s tenant. It takes less time to publish and become available for distribution compared to a publishing it in Google play public store which may take a longer period for Google to vet and approve. This can take as low as 10 minutes to publish, approve and become available for distribution.
Navigate to Intune portal>>>Apps>>>click on Android>>>click Add; App Type (Managed Google Play Store) and click on Select.

Once you click Select, it will connect to your organizations Google Play Store which has been connected to Intune. Click on the “Lock” icon representing Private Apps to open the Managed Google Play Private Store; Title (My Private App); APK File (Upload the APK file here)>>>the application will indicate Not Available Yet and this make take between 10 to 20 minutes.
Once the application has been approved, the Not Available Yet will go indicating that it is available in the Google Play Store.
Click Search for Play Store icon and in the search area type the name of the application and click the Search icon.
Once the application displayed, click on it to open it, then click the Select button and then click the Sync button on the top-left to add the application to your application list; this may take 10 to 15 minutes to complete.
During the process, the message “Managed Google Play Sync in progress. Apps added in Managed Google Play will be created when the sync completes“, will be displayed on the top of your list of applications.
When the application is added, click on it and click on Properties on the left side of the page and in the Assignments area, add the desired group for the application to deployed to them.

ipad os case studies

StephenOwusuAnsah — Sun, 04 Aug 2024 12:25:06 +0000

Android OS case studies

StephenOwusuAnsah — Sun, 04 Aug 2024 12:24:36 +0000

DEPLOY ANDROID APK FILE IN INTUNE

ios case studies

StephenOwusuAnsah — Sun, 04 Aug 2024 12:21:43 +0000

macOS case studies

StephenOwusuAnsah — Sun, 04 Aug 2024 12:20:41 +0000

Intune case studies

StephenOwusuAnsah — Sun, 04 Aug 2024 12:17:01 +0000

Renew secret key values for SCCM-Intune comanagement applications

StephenOwusuAnsah — Fri, 02 Aug 2024 20:30:47 +0000

Using Cloud Attach to setup co-management of between SCCM and Intune creates two main Applications in Application Registry/Enterprise Applications; ConfigMgrSvc_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX and Cloud Management.
By default the Secret Key duration is set to one year and so you need to set a calendar reminder to create a new secret key even though you will receive a reminder about 15days to the expiration date.
To renew the secret keys, in SCCM, navigate to Administration>>>Azure Directory Tenants. Click on the Tenant Name to display the corresponding Applications at the bottom of the page.
Right-click on each of the Enterprise Applications and click on Renew Secret Key.
When presented with the Office 365 log in screen, enter your Microsoft Entra ID/Office 365 account which has a Global Administrator or Cloud Application Administrator role associated with it and log in. Complete the associated MFA if it has been setup.
Once the process is successful, you will be presented with popup in SCCM indicating the renewal has been successful.
Log into the Application Registry in Azure and verify that the new secret keys have been created in the two applications.
Note: Do not renew the secret keys from Application Registry/Enterprise Applications in Azure because it may not be able to sync with SCCM. Correct process is to renew the secret keys from the SCCM side.

intune troubleshooting

StephenOwusuAnsah — Tue, 30 Jul 2024 10:25:37 +0000

Windows

INTUNE ERROR CODE 80192EE2, CAA70007, AND 80180014

BITLOCKER DRIVE ENCRYPTION CANNOT BE APPLIED TO THIS DRIVE BECAUSE THERE ARE CONFLICTING GROUP POLICY SETTINGS FOR RECOVERY OPTIONS ON OPERATING SYSTEM DRIVES

KNOWN ISSUES IN INTUNE FOR WINDOWS PLATFORM

macOS

MACOS PLATFORM SSO WILL NOT COMPLETE

MACOS PLATFORM SSO ERROR 10002

CANNOT DISABLE MACOS FIREWALL ON THE DEVICE- CONTROLLED BY INTUNE

LOCKED OUT OF MACOS DEVICE

NO WIFI ON MACOS LOGIN SCREEN

INTUNE MACOS DEVICE -THIS DEVICE IS NOT REGISTERED IN COMPANY PORTAL APPLICATION

iPadOS

iOS

Android

Linux

macos Platform SSO will not complete

StephenOwusuAnsah — Fri, 26 Jul 2024 02:32:17 +0000

Issue

Microsoft Entra login part of the macOS Platform SSO is failing.

Solution

Make sure the Office 365 password meets the macOS password policy by changing it in Office 365 or Active Directory.
Close the Microsoft Entra sign in screen to allow you to restart the process.
Navigate to Settings>>>Users and Groups>>>click Edit on Network Server and then click Register or Repair.
Enter the local account password, then log in with the new Office 365 password and once the Preparing the device… screen has completed and the Microsoft Entra login screen is presented, login with the new Office 365 password.
Once that goes through, then it means that the Office 365 password has synced with the local account.
You can now log into the Macbook computer with the Office 365 password.