Category Archives: Intune

IssuePfx – The submission failed error Intune to PKI connector

As I couldn’t google an answer to this one and the error was misleading, if you are using the Intune Service Connector to distribute PCKS certificates from your onprem PKI to your Intune clients and see the following error in the Connector eventlogs:






“CaName”:”PATH TO CA\\CAFriendlyName”,





“DiagnosticText”:”We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: \”DiagnosticException\”] [Exception Message: \”IssuePfx – The submission failed\”]”






And this error on your CA:

EventId 22:

Active Directory Certificate Services could not process request 136204 due to an error: Error 0xc8000211 (ESE: -529).  The request was for COMPUTERNAME.  Additional information: Error Parsing Request

Ensure you restart the Active Directory Certificate Services service on your CA. This is not required as per the documentation, but was surely required in my environment.

Mapping legacy server shares in your Windows 10 MDM Intune pilot

In a Windows 10 full MDM (AzureAD+Intune) scenario, you’ll move your email, app and file workloads to Office 365 (or alternatives).

In your pilot or hybrid phase, you may still need access to certain file shares on your servers, so here’s a simple PowerShell script you can deploy using Intune Device Configuration that maps your desired share. Deploy multiple times for multiple shares (or groups of users).

It will create a shortcut in a location you define, so the mapping is always user-driven, it will automatically suggest your user’s AzureAD login as username. You can of course customize the script to your liking if you did not change your local AD upn yet.

Gitlab home


  • Windows 10 (MDM)
  • Intune
  • Direct SMB lan connection to share

Remove-StaleIntuneDevices using a scheduled Azure Runbook

I recently came upon a really cool post by Josh and Sarah that explains how to clean up stale devices in Intune using the Graph API.

As I want to run this from an Azure runbook, silently, I had to modify it a little so it automatically consents to azure app permissions and logs in silently. If you’d like to use it, feel free to add it from the Azure gallery (search for Lieben) or download it yourself.

Make sure you’ve also imported the AzureAD and AzureRM modules into your automation account, and configured a credential object for the script to use.

GitLab: Remove-StaleIntuneDevicesForAzureAutomation.ps1

Technet: Remove-Stale-Intune-4b07488a

set Intune MDM user scope to ALL using Powershell and hidden API

If you want to change the settings on this page (or most Azure Portal pages) programmatically:

Microsoft’ll tell you to use your browser, there is no API/PS for this yet. As I really hate the answer “no”, I used Fiddler and baked some Powershell:

<p>login-azurermaccount<br />
$context = Get-AzureRmContext<br />
$tenantId = $context.Tenant.Id<br />
$refreshToken = $context.TokenCache.ReadItems().RefreshToken<br />
$body = &quot;grant_type=refresh_token&amp;refresh_token=$($refreshToken)&amp;resource=74658136-14ec-4630-ad9b-26e160ff0fc6&quot;<br />
$apiToken = Invoke-RestMethod &quot;$tenantId/oauth2/token&quot; -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'</p>
<p>$header = @{<br />
'Authorization' = 'Bearer ' + $apiToken.access_token<br />
'Content-Type' = 'application/json'}<br />
$url = &quot;;mamAppliesToChanged=true&quot;</p>
<p>$content = '{&quot;objectId&quot;:&quot;eab0bcaf-9b2e-4e62-b9be-2eea708422f8&quot;,&quot;appId&quot;:&quot;0000000a-0000-0000-c000-000000000000&quot;,&quot;appDisplayName&quot;:&quot;Microsoft Intune&quot;,&quot;appCategory&quot;:null,&quot;logoUrl&quot;:null,&quot;isOnPrem&quot;:false,&quot;appData&quot;:{&quot;mamEnrollmentUrl&quot;:null,&quot;mamComplianceUrl&quot;:null,&quot;mamTermsOfUseUrl&quot;:null,&quot;enrollmentUrl&quot;:&quot;;,&quot;complianceUrl&quot;:&quot;;,&quot;termsOfUseUrl&quot;:&quot;;},&quot;originalAppData&quot;:{&quot;mamEnrollmentUrl&quot;:&quot;;,&quot;mamComplianceUrl&quot;:&quot;&quot;,&quot;mamTermsOfUseUrl&quot;:&quot;&quot;,&quot;enrollmentUrl&quot;:&quot;;,&quot;complianceUrl&quot;:&quot;;,&quot;termsOfUseUrl&quot;:&quot;;},&quot;mdmAppliesTo&quot;:2,&quot;mamAppliesTo&quot;:2,&quot;mdmAppliesToGroups&quot;:[],&quot;mamAppliesToGroups&quot;:[]}'<br />
Invoke-RestMethod –Uri $url –Headers $header –Method PUT -Body $content -ErrorAction Stop

You can do almost anything using the above snippet and changing the endpoint URL and POST contents. Use Fiddler to capture, then replicate in code 🙂

Be warned and use at your own risk, obviously this method is unsupported.

Onedrive For Business Silent Deployment, Configuration and Folder Redirection through Intune MDM for Windows 10

I’ve taken information from several sources and written a single “Do It All – Onedrive For Business configuration script” for the Windows 10 Modern Management (Intune MDM Azure AD Join) scenario.

The script can be deployed through Intune to your Windows 10 MDM clients and will do the following silently:

    • check latest O4B version and update to it
    • detect O4B configuration, start auto config
    • completely silent / invisible configuration with SSO
    • optionally, enable Files On Demand
    • optionally, redirect folders to Onedrive
    • optionally, copy old content

O4BClientAutoConfig + source code.


Restarting a x86 Powershell Process as x64 automatically

Let’s say something (like Intune) starts your Powershell script in 32 bit and you really need commands that only 64 bit Powershell has….

<p>#Restart self in x64<br />
If (!([Environment]::Is64BitProcess)){<br />
    if([Environment]::Is64BitOperatingSystem){<br />
        Write-Output &quot;Running 32 bit Powershell on 64 bit OS, restarting as 64 bit process...&quot;<br />
        $arguments = &quot;-NoProfile -ExecutionPolicy ByPass -WindowStyle Hidden -File `&quot;&quot; + $myinvocation.mycommand.definition + &quot;`&quot;&quot;<br />
        $path = (Join-Path $Env:SystemRoot -ChildPath &quot;\sysnative\WindowsPowerShell\v1.0\powershell.exe&quot;)<br />
        Start-Process $path -ArgumentList $arguments -wait<br />
        Write-Output &quot;finished x64 version of PS&quot;<br />
        Exit<br />
    }else{<br />
        Write-Output &quot;Running 32 bit Powershell on 32 bit OS&quot;<br />
    }<br />
}<br />

With the above at the top of your script, it’ll automatically restart itself if needed 🙂

Getting rid of start menu ads in Windows 10 Modern Management using Intune PS script

On a clean install, Windows 10 has ‘suggestions’ in the start menu luring your users into installing stuff like Candy Crush.

If you want to prevent this, put the following PS snippet into a file:

<p>New-ItemProperty -Path &quot;HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager&quot; -Name &quot;SystemPaneSuggestionsEnabled&quot; -Value 0 -PropertyType DWORD -Force | Out-Null<br />
New-ItemProperty -Path &quot;HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager&quot; -Name &quot;SubscribedContent-338388Enabled&quot; -Value 0 -PropertyType DWORD -Force | Out-Null</p>

Then head to the Intune Console, go into device configuration and add the above file:

Make sure you let it run in the user’s context:

And finally, assign it to a group (or groups) containing your users.

If you’re using Windows 10 Enterprise or higher Sku’s, you can also use ADMX backed policies as per RKast’s suggestion in the comments below 🙂

Redirecting My Documents to Box Drive, using Intune (Windows 10 MDM)

One of my customers is doing a full cloud-only pilot of Windows 10, Mobile (MDM) managed through Intune to leverage a least-infrastructure solution worldwide.

They’re using Azure AD, but opted out of Onedrive for Business and are using Box Drive instead.

To encourage their users to actually save data to Box instead of Onedrive or locally, I wrote a little Powershell script (since Intune native PS script deployment isn’t live yet).  This script checks if Box has been configured, if not it throws a little popup to the user. If it has, it redirects My Documents, and copies any existing content from it to Box.

I used Advanced Installer to wrap this in an MSI for easy deployment through Intune, and would like to share this with you 🙂

ZIP download:

Zip contents:

  1. ps1 file which does the actual work
  2. vbs wrapper to run it silently (hidden windows)
  3. .aip file (advanced installer)
  4. .msi file (to roll out with Intune or other tools)

Update 10/10:

  1. added a caching mechanism to force Box Drive to locally cache files (normally Box only does this when they are opened)
  2. added a caching filter to prevent caching of files above 25MB to reduce initial bandwidth overhead

Update 04/12:

  1. added a 5 minute loop / wait cycle to allow box to initialize, as the script may otherwise run before Box can initialize

Automatically bitlocker Windows 10 MDM Intune Azure AD Joined devices

I recently ran into an article by Pieter Wigleven, based on an original idea of Jan Van Meirvenne that I simply have to share, and expand upon.

When you go cloud first, and do light MDM management of your Azure AD Joined Windows 10 devices, you will likely enable a Bitlocker policy in Intune. What you’ll quickly discover, is that your policy will not automatically enforce/enable Bitlocker on non-InstantGo capable devices.

So, I expanded upon Jan and Pieter’s script to automatically enable Bitlocker on Windows 10; it has additional error handling, local logging and it will eject removable drives prior to immediately (vs reboot) encrypting your system drive. After this is started, it will register your recovery key in AzureAD. Of course all credit for the original idea goes to Jan van Meirvenne.

Powershell source file

enableBitlockerAndRegisterInAAD_v0.04.ps1 (right click, save as)

MSI file

enableBitlockerAndRegisterInAAd_v0.04.msi (right click, save as)

As Intune won’t let you deploy a Powershell script, I’ve also wrapped the script in an MSI file with Advanced Installer for you. What this will do;

  1. Deploy the PS1 file to the machine
  2. Register a scheduled task to run this PS1 file at logon each time
  3. Kick off the scheduled task once so a first reboot isn’t required

Advanced installer package (.aip) (right click, save as)


  1. Windows 10, AzureAD Joined
  2. TPM chip
  3. User should be local admin

Deploying the new Onedrive Next Generation Sync client as MSI through Intune to Windows 10

Onedrive for Business’s client, the new Next Generation Sync client, is awesome. Obviously.

So you want it on your devices, but Microsoft distributes it as .exe. Nasty, because I want to manage Windows 10 as mobile devices through Intune, and that only allowes me to distribute as MSI.

I created an MSI for Onedrive for Business’s Next Generation Client using Advanced Installer. Because I’m not allowed to redistribute Microsoft’s .exe, this MSI downloads the .exe from Microsoft’s website, it uses /silent and /takeover as installation switches. Continue reading Deploying the new Onedrive Next Generation Sync client as MSI through Intune to Windows 10