I’ve taken information from several sources and written a single “Do It All – Onedrive For Business configuration script” for the Windows 10 Modern Management (Intune MDM Azure AD Join) scenario.
The script can be deployed through Intune to your Windows 10 MDM clients and will do the following silently:
- check latest O4B version and update to it
- detect O4B configuration, start auto config
- completely silent / invisible configuration with SSO
- optionally, enable Files On Demand
- optionally, redirect folders to Onedrive
- optionally, copy old content
O4BClientAutoConfig + source code.
Let’s say something (like Intune) starts your Powershell script in 32 bit and you really need commands that only 64 bit Powershell has….
#Restart self in x64
Write-Output "Running 32 bit Powershell on 64 bit OS, restarting as 64 bit process..."
$arguments = "-NoProfile -ExecutionPolicy ByPass -WindowStyle Hidden -File `"" + $myinvocation.mycommand.definition + "`""
$path = (Join-Path $Env:SystemRoot -ChildPath "\sysnative\WindowsPowerShell\v1.0\powershell.exe")
Start-Process $path -ArgumentList $arguments -wait
Write-Output "finished x64 version of PS"
Write-Output "Running 32 bit Powershell on 32 bit OS"
With the above at the top of your script, it’ll automatically restart itself if needed 🙂
On a clean install, Windows 10 has ‘suggestions’ in the start menu luring your users into installing stuff like Candy Crush.
If you want to prevent this, put the following PS snippet into a file:
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-338388Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
Then head to the Intune Console, go into device configuration and add the above file:
Make sure you let it run in the user’s context:
And finally, assign it to a group (or groups) containing your users.
If you’re using Windows 10 Enterprise or higher Sku’s, you can also use ADMX backed policies as per RKast’s suggestion in the comments below 🙂
One of my customers is doing a full cloud-only pilot of Windows 10, Mobile (MDM) managed through Intune to leverage a least-infrastructure solution worldwide.
They’re using Azure AD, but opted out of Onedrive for Business and are using Box Drive instead.
To encourage their users to actually save data to Box instead of Onedrive or locally, I wrote a little Powershell script (since Intune native PS script deployment isn’t live yet). This script checks if Box has been configured, if not it throws a little popup to the user. If it has, it redirects My Documents, and copies any existing content from it to Box.
I used Advanced Installer to wrap this in an MSI for easy deployment through Intune, and would like to share this with you 🙂
ZIP download: configureBoxRedirection_v1.02.zip
- ps1 file which does the actual work
- vbs wrapper to run it silently (hidden windows)
- .aip file (advanced installer)
- .msi file (to roll out with Intune or other tools)
- added a caching mechanism to force Box Drive to locally cache files (normally Box only does this when they are opened)
- added a caching filter to prevent caching of files above 25MB to reduce initial bandwidth overhead
- added a 5 minute loop / wait cycle to allow box to initialize, as the script may otherwise run before Box can initialize
I recently ran into an article by Pieter Wigleven, based on an original idea of Jan Van Meirvenne that I simply have to share, and expand upon.
When you go cloud first, and do light MDM management of your Azure AD Joined Windows 10 devices, you will likely enable a Bitlocker policy in Intune. What you’ll quickly discover, is that your policy will not automatically enforce/enable Bitlocker on non-InstantGo capable devices.
So, I expanded upon Jan and Pieter’s script to automatically enable Bitlocker on Windows 10; it has additional error handling, local logging and it will eject removable drives prior to immediately (vs reboot) encrypting your system drive. After this is started, it will register your recovery key in AzureAD. Of course all credit for the original idea goes to Jan van Meirvenne.
Powershell source file
enableBitlockerAndRegisterInAAD.ps1 (right click, save as)
enableBitlockerAndRegisterInAAD_v0.2.msi(right click, save as)
As Intune won’t let you deploy a Powershell script, I’ve also wrapped the script in an MSI file with Advanced Installer for you. What this will do;
- Deploy the PS1 file to the machine
- Register a scheduled task to run this PS1 file at logon each time
- Kick off the scheduled task once so a first reboot isn’t required
Advanced installer package (.aip)
enableBitlockerAndRegisterInAAD.zip (right click, save as)
- Windows 10, AzureAD Joined
- TPM chip
- User should be local admin
Onedrive for Business’s client, the new Next Generation Sync client, is awesome. Obviously.
So you want it on your devices, but Microsoft distributes it as .exe. Nasty, because I want to manage Windows 10 as mobile devices through Intune, and that only allowes me to distribute as MSI.
I created an MSI for Onedrive for Business’s Next Generation Client using Advanced Installer. Because I’m not allowed to redistribute Microsoft’s .exe, this MSI downloads the .exe from Microsoft’s website, it uses /silent and /takeover as installation switches. Continue reading Deploying the new Onedrive Next Generation Sync client as MSI through Intune to Windows 10
Azure AD, Intune and Windows 10 offer an incredibly nice light management option, where your users can use any Windows 10 Pro or higher device and simply join it to your Azure AD on their own.
Intune then allows you to enforce your security policies on those devices, and to distribute AppX and MSI packages to those devices.
Traditionally, IT used to manage devices using GPO’s or more, allowing a very high degree of granular configuration and remediation. Intune or the Enterprise Mobility Suite don’t offer good alternatives for Group Policy, and don’t allow scripts to be deployed natively, this greatly limits us.
However, the ability to deploy an MSI can be leveraged to still offer any of the granular management we used to do. I would very, very strongly advocate only using this as a last resort, don’t swim against the current, let users manage their own device and move to a services based architecture for your organisation’s IT.
Today’s case for a global NGO with a fully EMS licensed user base covers the distribution and installation of a large number of templates for Microsoft Word, including a normal.dot, macro’s and the required group policy settings to make word use these templates. Continue reading EMS case: distributing Office templates and macro’s to your users on Windows 10 mobile managed Azure AD Joined devices
So, recently a customer installed the Intune client in an image, as my previous post details, causing the client to enter a bricked state.
Reinstallation of the client can fix this, but we wanted minimum user interaction as a large number of machines was already distributed.
For those who remember Winrar, it is a fantastic ZIP tool that can create a self-extracting archive (.EXE) which auto-self elevates (admin rights) and can automatically start a file from the archive after extraction.
Include the Intune setup file and the certificate Microsoft includes, and this script (as .bat), and your Intune installation will be ‘cleaned up’. Note that you may see some file protection dialogs.
Source code: Continue reading Killing and reinstalling the Intune Client without user interaction
If you want to deploy the Intune Client using a (golden/generalized) image with System Center Configuration Manager or any other tool, make sure you haven’t already installed the Intune Client on that machine and follow the correct procedure.
The Intune Client generates a machine specific certificate in the Personal Store of the machine. This certificate is only valid for that machine. If you then base your image on this machine, all installations using that image will fail, Intune will report error 0x80070005 when trying to update. The full log of Updates.log in c:\Program Files\Microsoft\OnlineManagement\Logs will look like this below log.
EDIT: if you want to ‘reset’ / ‘fix’ the Intune Client with a script / automatically, read here
Continue reading Intune Client does not appear in console and displays error 0x80070005 when updating