{"id":4600,"date":"2021-12-07T09:28:16","date_gmt":"2021-12-07T07:28:16","guid":{"rendered":"https:\/\/www.msb365.blog\/?p=4600"},"modified":"2023-06-23T10:59:44","modified_gmt":"2023-06-23T08:59:44","slug":"microsoft-intune-automation-powershell-script-documentation","status":"publish","type":"post","link":"https:\/\/www.msb365.blog\/?p=4600","title":{"rendered":"Microsoft Intune Automatization Script"},"content":{"rendered":"<p>I am currently working on a new project involving the integration and configuration of Microsoft Intune in a hybrid environment.<br \/>\nSince there are always the same tasks in this scenario, I have now written a PowerShell script that processes the most important recurring tasks.<br \/>\nThis way I can ensure that certain configurations are standardized for all customers.<\/p>\n<p>In this blog article I present and explain my script:<\/p>\n<h3>What are the tasks that are done by the script?<\/h3>\n<ul>\n<li>Creates licence groups<\/li>\n<li>Creates permission groups<\/li>\n<li>Creates an on-premise AD user<\/li>\n<li>Creates OU for required GPO&#8217;s<\/li>\n<li>Creates a GPO for MDM enrollment<\/li>\n<li>Creates a GPO for SCP<\/li>\n<li>Creates a GPO for MDM unenrollment<\/li>\n<li>Creates an additional REG Key in MDM enrollment for triggering second script to run the schedule task for MDM<\/li>\n<li>Creates an additional REG Key in MDM enrollment for adding the LAN Domain to Secure Sites<\/li>\n<li>Creates an additional REG Key in MDM enrollment for adding the Domain controller IP to secure Sites<\/li>\n<li>Creates an additional REG Key in MDM enrollment for one time running additional script (More about it, later in this article)<\/li>\n<li>Starts sync between on-premise AD and Azure Active Directory<\/li>\n<li>Creates dynamic groups for devices in Azure Active Directory<\/li>\n<li>Creates an Azure Active Directory user with Intune Administrator permission<\/li>\n<li>Licence Assignments<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>(OPTIONAL) Installs PowerShell Module MSOL<\/li>\n<li>(OPTIONAL) Installs PowerShell Modules Azure<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3>What is <span style=\"color: #ff0000;\">not<\/span> configured with this script?<\/h3>\n<ul>\n<li>Installation and configuration AAD Connect<\/li>\n<li>Configuration AAD sync<\/li>\n<li>Advanced AAD Connect configurations<\/li>\n<li>Autopilot Configuration<\/li>\n<li>Intune App configurations<\/li>\n<li>Tenant customisations<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3>Here the Script Documentation:<\/h3>\n<table>\n<tbody>\n<tr>\n<td width=\"208\">With my script, nothing has to be adapted beforehand. The script can simply be executed, all required information is requested during the execution of the script.<\/p>\n<p>&nbsp;<\/p>\n<p>In the first phase, the following information is requested and must be entered manually in the script:<\/p>\n<ul>\n<li>Local domain.<\/li>\n<li>OU where the test user will be created.<\/li>\n<li>OU where the licence groups are to be created.<\/li>\n<li>OU where the groups for the permissions are to be created.<\/li>\n<li>The own Onmicrosoft domain.<\/li>\n<\/ul>\n<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-4603\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001.png\" alt=\"\" width=\"1495\" height=\"157\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001.png 1495w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001-300x32.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001-1024x108.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001-768x81.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001-600x63.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001-905x95.png 905w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_001-1320x139.png 1320w\" sizes=\"(max-width: 1495px) 100vw, 1495px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">In this step, a directory is created. This can be found under C:\\MDM. The log file of this script is also stored in this directory.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_002.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-4604\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_002.png\" alt=\"\" width=\"570\" height=\"124\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_002.png 570w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_002-300x65.png 300w\" sizes=\"(max-width: 570px) 100vw, 570px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">The next step is to create a password for our Local Test Account. I use this for testing configurations, autopilot, etc.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_003.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-4605\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_003.png\" alt=\"\" width=\"533\" height=\"157\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_003.png 533w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_003-300x88.png 300w\" sizes=\"(max-width: 533px) 100vw, 533px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Next, the licence groups are created.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_004.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4606\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_004.png\" alt=\"\" width=\"918\" height=\"337\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_004.png 918w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_004-300x110.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_004-768x282.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_004-600x220.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_004-905x332.png 905w\" sizes=\"(max-width: 918px) 100vw, 918px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Then the authorisation groups are created.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_005.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4607\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_005.png\" alt=\"\" width=\"434\" height=\"111\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_005.png 434w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_005-300x77.png 300w\" sizes=\"(max-width: 434px) 100vw, 434px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">It is important to note that the AAD synchronisation must be configured beforehand (or afterwards) so that these groups also appear in the Azure Active Directory.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_006.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4608\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_006.png\" alt=\"\" width=\"1178\" height=\"259\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_006.png 1178w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_006-300x66.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_006-1024x225.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_006-768x169.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_006-600x132.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_006-905x199.png 905w\" sizes=\"(max-width: 1178px) 100vw, 1178px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Now the required OU&#8217;s and GPO&#8217;s are created.<\/p>\n<p>&nbsp;<\/p>\n<p>In my experience, the Automatic MDM enrolment and SCP GPO are needed for a hybrid enrolment. However, I also create an OU with the GPO with the value unenrolled for my customer.<\/p>\n<p>&nbsp;<\/p>\n<p>According to the Microsoft Technet article, the corresponding GPO can also simply be configured as an ADMX template, but in my script I have decided to configure the corresponding settings directly via registry key.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_007.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4609\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_007.png\" alt=\"\" width=\"937\" height=\"437\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_007.png 937w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_007-300x140.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_007-768x358.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_007-600x280.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_007-905x422.png 905w\" sizes=\"(max-width: 937px) 100vw, 937px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">The next step checks whether the PowerShell module &#8220;ADSYNC&#8221; is available. If this is the case, a pause of 10 seconds is set first. This is so that any domain controller synchronisation can be carried out. Then an AD sync (delta) is started so that the created groups and users are synced into the Azure Active Directory.<\/p>\n<p>When this command has been issued, another pause of 30 seconds is performed. This second pause gives the AAD sync enough time to sync the created objects into the Azure Active Directory.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_008.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4616\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_008.png\" alt=\"\" width=\"412\" height=\"36\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_008.png 412w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_008-300x26.png 300w\" sizes=\"(max-width: 412px) 100vw, 412px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">The next step is to log on to the Microsoft 365 tenant. Here, too, we first check whether the required Powershell module is available. If this is not the case, the corresponding PowerShell module is installed.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_009.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4618\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_009.png\" alt=\"\" width=\"586\" height=\"463\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_009.png 586w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_009-300x237.png 300w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">In the next step, the script creates a cloud-only account which I need for administrative purposes for the endpoint portal. Therefore, a pop-up for the password entry for this user account also follows here.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4621\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/01.png\" alt=\"\" width=\"822\" height=\"64\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/01.png 822w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/01-300x23.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/01-768x60.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/01-600x47.png 600w\" sizes=\"(max-width: 822px) 100vw, 822px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">The Cloud only user account just created is promoted to Intune Administrator.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4622\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/02.png\" alt=\"\" width=\"615\" height=\"43\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/02.png 615w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/02-300x21.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/02-600x42.png 600w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">Now a connection to the Azure AD PowerShell module is created. If this does not exist, it will be installed automatically.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_010.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4619\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_010.png\" alt=\"\" width=\"664\" height=\"529\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_010.png 664w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_010-300x239.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/SC_010-600x478.png 600w\" sizes=\"(max-width: 664px) 100vw, 664px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">The next step is to create 5 dynamic groups in the Azure Active Directory. These are configured so that the different device types can be distinguished. In this script I distinguish between:<\/p>\n<ul>\n<li>Microsoft Surface<\/li>\n<li>Lenovo<\/li>\n<li>HP<\/li>\n<li>Dell<\/li>\n<li>Intel<\/li>\n<\/ul>\n<\/td>\n<td width=\"393\"><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">In the next step, the licence assgnments are made. The licence groups created and synced to begin are assigned via PowerShell according to the licences.<\/p>\n<p>&nbsp;<\/p>\n<p>ATTENTION: The script requires that the licences have been procured via a CSP.<\/td>\n<td width=\"393\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/03.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4623\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/03.png\" alt=\"\" width=\"918\" height=\"166\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/03.png 918w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/03-300x54.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/03-768x139.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/03-600x108.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/03-905x164.png 905w\" sizes=\"(max-width: 918px) 100vw, 918px\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><\/h3>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3>The result:<\/h3>\n<p>When the script has run successfully, we have the following result<\/p>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"301\">As we can see, in the OU&#8217;s we defined, the different groups and sub OU&#8217;s were created.<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4630\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp1.png\" alt=\"\" width=\"839\" height=\"508\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp1.png 839w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp1-300x182.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp1-768x465.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp1-600x363.png 600w\" sizes=\"(max-width: 839px) 100vw, 839px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">We also see that our SVC_DW_USER was created in the on-premise Active Directory.<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4631\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp2.png\" alt=\"\" width=\"755\" height=\"778\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp2.png 755w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp2-291x300.png 291w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp2-600x618.png 600w\" sizes=\"(max-width: 755px) 100vw, 755px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">In Group Policy Management, we see that the required GPOs have been created and linked.<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4632\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp3.png\" alt=\"\" width=\"752\" height=\"593\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp3.png 752w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp3-300x237.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp3-600x473.png 600w\" sizes=\"(max-width: 752px) 100vw, 752px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">The values are also set correctly in the content (here as an example the SCP GPO).<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4633\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp4.png\" alt=\"\" width=\"1058\" height=\"901\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp4.png 1058w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp4-300x255.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp4-1024x872.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp4-768x654.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp4-600x511.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp4-905x771.png 905w\" sizes=\"(max-width: 1058px) 100vw, 1058px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">When we go into the Microsoft 365 portal, we see the on-premise user SVC_DW_USER which has already been synced to the cloud.<\/p>\n<p>&nbsp;<\/p>\n<p>We also see our SVC_DW_ADMIN account in our tenant.<\/p>\n<p>(By the way: I usually create my admins online and also use the onmicrosoft domain. As you can see in the print screen, the USER and ADMIN account also differ in the domain used).<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4634\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp5.png\" alt=\"\" width=\"972\" height=\"674\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp5.png 972w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp5-300x208.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp5-768x533.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp5-600x416.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp5-905x628.png 905w\" sizes=\"(max-width: 972px) 100vw, 972px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">If we take a closer look at our SVC_DW_ADMIN, we can see that this account has also been promoted as Intune Administrator.<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4635\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp6.png\" alt=\"\" width=\"1207\" height=\"721\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp6.png 1207w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp6-300x179.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp6-1024x612.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp6-768x459.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp6-600x358.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp6-905x541.png 905w\" sizes=\"(max-width: 1207px) 100vw, 1207px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">If we now go further into the Azure Portal, we find that here too the groups are already synced from on-premise to the cloud.<\/p>\n<p>(<strong><span style=\"color: #ff0000;\">Please note<\/span><\/strong> that the Azure ADConnect must first be configured accordingly. Otherwise, of course, this sync will not work).<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4636\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp7.png\" alt=\"\" width=\"1260\" height=\"744\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp7.png 1260w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp7-300x177.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp7-1024x605.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp7-768x453.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp7-600x354.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp7-905x534.png 905w\" sizes=\"(max-width: 1260px) 100vw, 1260px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">In addition to the groups synced from on premise, we also see that our dynamic cloud only device groups are present.<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4637\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp8.png\" alt=\"\" width=\"1213\" height=\"693\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp8.png 1213w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp8-300x171.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp8-1024x585.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp8-768x439.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp8-600x343.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp8-905x517.png 905w\" sizes=\"(max-width: 1213px) 100vw, 1213px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">Finally, here is a more in-depth look at our licence groups. As you can see, existing licences are already assigned accordingly.<\/p>\n<p>(<span style=\"color: #ff0000;\"><strong>Please note<\/strong><\/span> that all apps of a licence are activated by default and the users must also be assigned to the groups accordingly).<\/td>\n<td width=\"301\"><a href=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4638\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9.png\" alt=\"\" width=\"1414\" height=\"691\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9.png 1414w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9-300x147.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9-1024x500.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9-768x375.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9-600x293.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9-905x442.png 905w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/11\/pp9-1320x645.png 1320w\" sizes=\"(max-width: 1414px) 100vw, 1414px\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><\/h3>\n<p>&nbsp;<\/p>\n<h3>Download the Powershell Script:<\/h3>\n<blockquote><p>You can find the PowerShell Script on my <strong><a href=\"https:\/\/github.com\/MSB365\/IntunePrep\/blob\/main\/Prep-Intune.ps1\" target=\"_blank\" rel=\"noopener\">Github<\/a><\/strong> Page.<\/p><\/blockquote>\n<h3><\/h3>\n<p>&nbsp;<\/p>\n<h3>Further information:<\/h3>\n<p>The script is basically self-contained, but there is a task that automatically downloads another Powershell script from Github.<br \/>\nThis is a small script that is to be executed on the client computer. This script checks if the schedule task &#8220;PushLaunch&#8221; is available, if not, this task will be created.<br \/>\nThis task triggers the MDM enrolment.<\/p>\n<p>&nbsp;<\/p>\n<p>This subscript is stored under the following path:<\/p>\n<p><a href=\"https:\/\/raw.githubusercontent.com\/MSB365\/CreateScheduleTaskForMDMEnrollment\/main\/CreateScheduleTask.ps1\"><em>https:\/\/raw.githubusercontent.com\/MSB365\/CreateScheduleTaskForMDMEnrollment\/main\/CreateScheduleTask.ps1<\/em><\/a><\/p>\n<p>The subscript itself looks like this:<\/p>\n<pre>#Create Schedule Task\r\nGet-ScheduledTask -TaskName \"PushLaunch\" -ErrorAction SilentlyContinue -OutVariable task\r\n\r\nif (!$task) {\r\n$taskname = \"PushLaunch\"\r\n$taskdescription = \"Initialize MDM Enrollment by Task Scheduler\"\r\n$action = New-ScheduledTaskAction -Execute 'C:\\Windows\\System32\\DeviceEnroller.exe' -Argument '\/c \/AutoenrollMDM'\r\n$trigger = New-ScheduledTaskTrigger -AtLogOn \r\n$settings = New-ScheduledTaskSettingsSet\r\n$path = \"\\Microsoft\\Windows\\EnterpriseMgmt\"\r\nRegister-ScheduledTask -Action $action -Trigger $trigger -TaskName $taskname -Description $taskdescription -Settings $settings -User \"System\" -TaskPath $path\r\n} else {\r\nWrite-Host \"$task already exists - no further action needed!\" -ForegroundColor Green\r\n}<\/pre>\n<p>&nbsp;<\/p>\n<h3>Would you like to see more?<\/h3>\n<p>You can have it!<br \/>\nI have prepared a short video where I run through the script and explain everything again.<\/p>\n<iframe  id=\"_ytid_48573\"  width=\"480\" height=\"270\"  data-origwidth=\"480\" data-origheight=\"270\" src=\"https:\/\/www.youtube.com\/embed\/3TxS6yelbU0?enablejsapi=1&autoplay=0&cc_load_policy=0&cc_lang_pref=&iv_load_policy=1&loop=0&rel=1&fs=1&playsinline=0&autohide=2&theme=dark&color=red&controls=1&disablekb=0&\" class=\"__youtube_prefs__  no-lazyload\" title=\"YouTube player\"  allow=\"fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen data-no-lazy=\"1\" data-skipgform_ajax_framebjll=\"\"><\/iframe>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3>Second (video) part<\/h3>\n<p>In the second part we see how the deployment of a new client computer looks like after Intune has been pre-configured with my script.<br \/>\nHere again the hint that a second script (as described above) is downloaded from Github. This script will be copied into the NETLOGON directory after the successful download. So that we can use this script when logging in, 2 entries are set under Internet Options. These are read out by variable and then entered. It is visible transparently in the video.<\/p>\n<iframe  id=\"_ytid_76854\"  width=\"480\" height=\"270\"  data-origwidth=\"480\" data-origheight=\"270\" src=\"https:\/\/www.youtube.com\/embed\/1FGB8-vIUQI?enablejsapi=1&autoplay=0&cc_load_policy=0&cc_lang_pref=&iv_load_policy=1&loop=0&rel=1&fs=1&playsinline=0&autohide=2&theme=dark&color=red&controls=1&disablekb=0&\" class=\"__youtube_prefs__  no-lazyload\" title=\"YouTube player\"  allow=\"fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen data-no-lazy=\"1\" data-skipgform_ajax_framebjll=\"\"><\/iframe>\n<p>&nbsp;<\/p>\n<h3>Follow up<\/h3>\n<p>After all configurations are prepared, the tenant has to be configured. This means that the packages have to be packaged and (depending on the area of application) the baselines have to be adapted. Furthermore, the users have to be filled into the corresponding groups created by the script and the groups have to be assigned to the respective Intune configuration.<\/p>\n<p>I am currently planning a script for this as well, but it will take a while before I put it online.<\/p>\n<p>&nbsp;<\/p>\n<p>I hope this helps you guys with some future deployments.<\/p>\n<p>\ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I am currently working on a new project involving the integration and configuration of Microsoft Intune in a hybrid environment. Since there are always the same tasks in this scenario, I have now written a PowerShell script that processes the most important recurring tasks. This way I can ensure that certain configurations are standardized for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4613,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1923,1988,3],"tags":[],"class_list":["post-4600","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-365","category-ms-intune","category-powershell"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/4600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4600"}],"version-history":[{"count":22,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/4600\/revisions"}],"predecessor-version":[{"id":4648,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/4600\/revisions\/4648"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/media\/4613"}],"wp:attachment":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}