Microsoft Intune provides mobile device management, mobile application management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with. Though Intune is a Microsoft product, it supports a wide range of devices including macOS, iOS, and Android. Thus, organizations have a unified management solution that enables the rigorous handling of the mobile ecosystem. Cloud Efficiency. Since Intune is deployed in the cloud, companies and institutions can reduce on-premises server costs.
Hey Flow Fans!
Co-management with Microsoft Intune and System Center Configuration Manager AMA 1; Channel 1; Windows Information Protection 1; Contact 1; Excel Spreadsheet 1; single app mode 1; native app 1; Mobile Application Management (MM) 1; Hello for Business 1; erase 1; Managed App 1; white glove 1; iPhone 12 1; wipe 1; Yammer 1; Azure Active Directory.
This week’s article comes from Max Fritz at SADA Systems, Inc.
![Microsoft Intune Microsoft Intune](/uploads/1/1/3/8/113833807/671549454.png)
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. I already wrote a couple of blog posts recently related to the managing the new Microsoft Edge Chromium browser with Microsoft Intune, which are listed here.Today’s post is about configuring the Enterprise Mode Site list with Microsoft Intune, which forces websites to use Internet Explorer Mode (IE Mode) in Edge.
Max is an Office 365 and EMS Architect at SADA Systems, Inc. He focuses on improving collaboration and simplifying implementation, and has worked with Office 365 for the past eight years. He is a self-proclaimed geek, passionate about a broad range of security and collaboration tools and can’t stop talking about the technology he loves. Max is the founder and president of the Minnesota Office 365 User Group, and holds MCSA and MCSE Microsoft certifications. Max can be found speaking at Microsoft 365 conferences all over the US. You can find Max on Twitter @theCloudSherpa (https://twitter.com/TheCloudSherpa), or on LinkedIn (https://www.linkedin.com/in/maxafritz/).
https://image.ibb.co/gAqprL/intune3.png
Background
For those organizations that have fully adopted the Modern Workplace and have gone “cloud only”, you are most likely using Windows 10 on your workstations and managing those workstations with Microsoft Intune. While Intune is good at managing settings (and always getting better), there are limited reporting options available.
One of the most common requests I encounter is to get the status of local admins on the machines managed by Intune. The below Flow will walk us through gathering that information and presenting it to an administrator.
The following steps will be a part of this process:
- Deploy a PowerShell Script from Intune
- Device gathers data and kicks off Flow using a REST API call
- Flow writes data to SharePoint
- Flow subscription
- Intune subscription
- Windows 10 devices in Intune
- OneDrive or SharePoint location to store Excel workbook
SharePoint
For this example, we’ll be using a SharePoint list to store the data, however, you can adapt the below steps and store the data in an Excel workbook if you prefer.
- In your SharePoint site of choice, go to Add an app.
- From the options, select Custom List.
- Give your list a name. We’ll call ours “Local Admins.”
- Navigate to your new list and add 2 columns named “Computer Name” and “User Name” by repeating the below steps:
- Click Add column.
- Choose single line of text.
- Fill out the column name and click Save.
- Make sure to repeat for the second column.
- Click Add column.
- Add another column, this time of type Yes/No, called “Is Admin”:
- Open the SharePoint List settings:
- Scroll down to Views and click on All Items.
- Under Columns, click the checkbox next to Modified. This will allow the modified date to show in our view.
- Scroll to the bottom and click OK.
- Your SharePoint list should now look like this:
Flow
- Navigate to https://flow.microsoft.com/ and log in.
- Get started by Creating a flow from blank
- Pro Tip: Create this as a Team Flow so your team can manage it with you!
- Select Search hundreds of connectors and triggers.
- Search for When a HTTP request is received, and select it as your Trigger.
- Under Request Body JSON Schema, enter the following:
{
“type”: “object”,
“properties”: {
“Device”: {
“type”: “string”
},
“User”: {
“type”: “string”
},
“IsAdmin”: {
“type”: “string”
}
}
}
- Select New step
- Search for and select Initialize variable.
- Fill out the fields as follows:
We will need to refer to this Device/User combination a few times so the variable will help us throughout the Flow. - Add a New step again of type Initialize variable.
- Fill out the fields as follows:
- To fill in the Value field, search for “false” in the Expressions menu:
- To fill in the Value field, search for “false” in the Expressions menu:
- Add a New step of type Get Items (SharePoint)
- Fill out the fields as following (customize the Site Address and List Name to match your SharePoint list):
This will allow us to see if there is an existing entry for the Device/User combination. - Add a New step and select Apply to Each:
- For Select an output from previous steps, choose value:
- Click Add an action and find and select Set a variable.
- Fill out the fields as following (using the expressions menu to fill in “true”):
- Now that we’ve determined if an item exists already, click New step at the bottom (outside of the loop), and choose Condition:
- Fill out the condition as follows:
- Under If yes (which indicates an item already exists with this Computer/User combination), add an action of Update Item from the SharePoint connector:
NOTE: by selecting ID for Id above, Flow will automatically put this action in a loop. You can safely leave that (you should not try to remove the loop). The action will still only occur once. - Under If no (indicating no item exists in SharePoint for this Computer/User combination), add another Condition, and fill out as follows:
NOTE: Use the actual word “true”, not an Expression as in prior steps. - Under the new Condition, under If yes (indicating the user is a local admin), add an action of Create Item from the SharePoint connector:
- Under the new Condition, under If no (indicating the user is not a local admin), add an action of Create Item from the SharePoint connector:
- Save your flow, and scroll back up to the top.
- For When an HTTP Request is received, you should now see a URL next to HTTP POST URL:
- Save that URL; you will need it in a later step.
PowerShell
- Create a PowerShell script with the following content and name it “CheckAdmin.ps1” (you can use NotePad if you prefer):
- Make sure to add your HTTP POST URL from above inbetween the quotes on the second line.
#The HTTP POST URL from Microsoft Flow
$URI = “” #ADD YOUR URL HERE
#Get Current ComputerName
![Microsoft Microsoft](/uploads/1/1/3/8/113833807/142014917.png)
$computer = $env:computername
#Get Current UserName
$CurrentUser = whoami
#Get User’s Local Group Membership
$CurrentUserGroups = whoami /groups
#Check if current user is a member of the Local Admins group
$CurrentUserAdmin = $CurrentUserGroups -like “*S-1-5-32-544*”
#If user is an admin
if ($CurrentUserAdmin) {
$body = ConvertTo-JSON @{Device = $computer; User = $CurrentUser; IsAdmin = ‘true’}
#Start Flow
Invoke-RestMethod -uri $URI -Method Post -body $body -ContentType ‘application/json’
}
#If user is not an admin
else {
$body = ConvertTo-JSON @{Device = $computer; User = $CurrentUser; IsAdmin = ‘false’}
#Start Flow
Invoke-RestMethod -uri $URI -Method Post -body $body -ContentType ‘application/json’
}
- Save the PowerShell script locally on your computer.
Intune
- Navigate to your Intune portal by going to https://portal.azure.com/ and selecting Intune.
- Select Device Configuration.
- Select PowerShell Scripts.
- Select New, and fill in the information:
- For Script location, navigate to the PowerShell script you saved earlier.
i.Pro Tip: Keep a backup copy of this script. Intune does not allow you to re-download it.
- Click on Configure, and match the following settings:
- Click OK, and then Create.
- On the next screen, click Assignments:
- Click on Select groups
- At this point, select a group of Users that you want this script applied to.
i. It is important that the script is not applied to a group of Computers.
- Click Select, and then Save.
At this point your script will begin running for the users assigned. It could take 24 hours for data to start populating.
The way Intune handles PowerShell scripts means this will run a single time per user per logged in PC. This is great to collect a one time snapshot of local admin status, but if you want to run it again, just simply repeat the Intune steps above again! The Flow is already built to handle updates to existing list entries if you choose to run it multiple times.
Additionally, consider integrating the SharePoint list with PowerBI or alerting to get better visibility into this data.
Also, consider this solution for any data you want to gather from your Windows machines. You could grab application installations, disk health, and more! Just remember that every time this script runs on every machine, it will kick off a Flow, counting against your runs per month.
While not a perfect solution, hopefully, this gives you greater insight into your Intune-managed environment!
Thanks for reading!
Proper management of mobile devices is essential for any business to run efficiently. Not only that but proper management helps to enhance the security of your data. Microsoft Intune provides you with both mobile device management (MDM) and mobile application management (MAM). This cloud-based service helps you to manage device usage as well as to configure specific policies for controlling applications. And this will apply to both corporate devices and personal (BOYD) devices. The enrollment process offers several different options for various scenarios. This blog will go over the options available to you so that you can find out how you should proceed.
Automatic enrollment
Users have the option to use Windows 10 automatic enrollment to enroll their devices. It’s a rather simple process that requires users to add their work accounts to personally-owned devices. Alternatively, you may also join a corporate-owned device to Azure Active Directory (Azure AD). The device will perform the process of registering and joining Azure AD in the background. And when the registration is complete, the device will now fall under the management of Intune. In order to perform this type of enrollment, you need to have an Azure AD Premium subscription as well as a Microsoft Intune subscription.
Personal device method
This method is particularly useful for businesses that have Bring-Your-Own-Device (BOYD) policies. Users can enroll their devices by going to the Settings panel and adding a Work and School account. Instead of going through a laborious process, the above action will trigger the registration of the device in Azure AD. Also, there will be automatic enrolling of the device in Microsoft Intune. This is a great option to have as it allows employees to enroll personal devices. The key requirement for this option is that auto-enrollment will need to be configured.
MDM only enrollment
By choosing this method, users can enroll Workgroup or Azure AD joined PCs into Intune. You would need to go to settings on the existing Windows PC to perform the enrollment. However, there are a couple of reasons why this method may not necessarily be the best way to go. To begin with, this method will not register the device into Azure AD. And undoubtedly this will create issues for you later. Furthermore, it also doesn’t allow you to access features such as Conditional Access.
Azure Active Directory
Here you’ll get an Azure AD Join method that will allow you to enroll corporate-owned devices into Intune. Similarly to enrolling personal devices, this method will require you to go to the Settings panel and add a Work and School account. You also get the option to join the device to Azure AD. During the configuration flow, you will have to choose to join Azure AD during that flow. If corporate devices are set up in advance, then this action can also be triggered during the Out-Of-The-Box-Experience (OOBE). This method also requires auto-enrollment.
Windows Autopilot
Using this method will give you automatic Azure AD Join and enrollment of new corporate devices into Intune. Not only does this method simplify OOBE but it will also eliminate the need for applying custom OS images onto the devices. When using Intune for the management of Autopilot devices, admins can manage things like policies and apps after enrollment. Four options are available under Autopilot deployment. These are Self-Deploying Mode, User-Driven Mode, Windows Autopilot for pre-provisioned deployment, and Autopilot for existing devices.
Device Enrollment Manager
This particular method facilitates the enrollment of multiple devices by the admin. The DEM account comes with some great permissions that enable admins to enroll and manage several devices. In fact, it allows them to manage up to 1000 corporate-owned devices. This will also allow for bulk enrollment of non-personal corporate-owned devices. The requirements here call for the prior configuration of both auto-enrollment and Device Enrollment Manager.
Windows IoT Core devices
Microsoft allows you to manage your IoT Core devices with all your other managed devices. To enroll IoT Core devices, you’ll need to use the Windows IoT Core Dashboard for device preparation. After that, you have to create a provisioning package using Windows Configuration Designer. You start the process by changing the Intune MDM user scope in Azure AD. Having done that, you then create a setup SD card for the IoT Core device. The media on the SD card is what you’ll need during initial boot up to install the provisioning package and automatically enroll devices into Intune.
Provisioning package
This option enables admins to bulk enroll corporate-owned devices. By using a provisioning package, you can add devices in bulk to Azure AD and automatically enroll them into Intune. Auto-enrollment is also a requirement for this method. In addition, you’ll need to ensure that the maximum number of devices that a user can add to Azure AD lines up with the usage of the package.
Co-management
Microsoft Intune Certification
Under this method, admins can automatically enroll corporate-owned devices and companies can automatically enroll devices into Intune. This requires management under Configuration Manager as well as the use of co-management. As with the above options, you need to have auto-enrollment configured. Also, the device should be registered or joined to Azure AD.
Time to sign up
Microsoft Intune Dns
Microsoft Intune is a fantastic platform for protecting corporate data as well as controlling access to it. With the modern workforce leaning more towards mobile devices, companies need to start adapting. The key concern, however, is security. And that is something that Intune deals with brilliantly. It enables employees to securely access on-premises email and data. Furthermore, you can allow employees to use personal devices while still maintaining that high degree of security. The current business environment requires innovation to keep operating efficiently at a high level. And with all the benefits of Microsoft Intune, enrolling is an easy decision to make.