Microsoft Intune — theiTnotes

Windows Autopilot lets you pre-configure and provision Windows devices, enabling end users to set up their devices without IT involvement. Follow the steps below to deploy it end-to-end.

Prerequisites → Windows 10 version 1703 or later · Azure AD or Hybrid Azure AD joined → Microsoft Intune and Azure AD Premium licenses → Devices connected to internet during OOBE · OEM supports Autopilot Step 1 — Enable Autopilot in Intune → endpoint.microsoft.com → Devices → Windows → Windows Enrollment → Autopilot → Devices → Import CSV

Install-Script -Name Get-WindowsAutopilotInfo Get-WindowsAutopilotInfo -OutputFile C:\HWID\DeviceID.csv

Step 2 — Create Deployment Profile → Windows Enrollment → Deployment Profiles → Create Profile → Platform: Windows PC · Type: User-Driven · Convert all targeted devices to Autopilot = Yes Step 3 — Create Dynamic Azure AD Group → Azure AD → Groups → New Group → Dynamic Device → Rule: (device.devicePhysicalIDs -any _ -contains "[ZTDId]") Step 4 — Assign Apps & Policies → Intune → Apps → Assign apps to Autopilot group → Assign Wi-Fi, restrictions, and compliance rules

📅 May 15, 2025 ✎️ TheiTnotesguy

Read Full Post →

A complete guide to deploying HP printers via Intune Win32 apps — driver download, INF inspection, PowerShell install/uninstall/detection scripts, and intunewin packaging.

Step 1 — Download & Test Drivers · Step 2 — Extract Driver Package Extract the ZIP. Open the .INF file — find the exact driver name (e.g. "HP Universal Printing PS") Step 3 — Create install.ps1

$PrinterName = "HP Color LaserJet MFP E78625" $PrinterIP = "192.168.10.28" $PortName = "IP_$PrinterIP" $DriverName = "HP Universal Printing PS" Start-Process pnputil.exe -ArgumentList @("/add-driver",".\*.inf","/install","/subdirs") -Wait Add-PrinterDriver -Name $DriverName -Confirm:$false Add-PrinterPort -Name $PortName -PrinterHostAddress $PrinterIP -Confirm:$false Add-Printer -Name $PrinterName -DriverName $DriverName -PortName $PortName -Confirm:$false

Step 4 — Create uninstall.ps1 · Step 5 — Create detection.ps1

Remove-Printer -Name "HP Color LaserJet MFP E78625" -Confirm:$false Remove-PrinterPort -Name "IP_192.168.10.28" -Confirm:$false

Step 6 — Package with IntuneWinAppUtil and deploy as Win32 app

📅 May 15, 2025 ✎️ TheiTnotesguy

Read Full Post →

Essential log paths and registry locations for troubleshooting policy and application deployment on Intune-managed Windows devices.

IME Logs

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

• IntuneManagementExtension.log · AgentExecutor.log · Sensor.log · Scripts.log Event Viewer Apps & Services → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin Registry Paths

HKLM\SOFTWARE\Microsoft\PolicyManager HKLM\SOFTWARE\Microsoft\Enrollments HKLM\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement

Company Portal Logs

%localappdata%\Packages\Microsoft.CompanyPortal_8wekyb3d8bbwe\LocalState\DiagOutputDir

Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → PushLaunch task

📅 May 15, 2025 ✎️ TheiTnotesguy

Read Full Post →

Step-by-step guide to uploading and assigning a PowerShell script through the Intune Admin Center with the correct execution settings.

1. endpoint.microsoft.com → Devices → Scripts and remediations → Platform scripts 2. Click + Add → Windows 10 and later 3. Name your script, upload your .ps1 file Recommended Settings: • Run using logged-on credentials: No • Enforce script signature check: No • Run in 64-bit PowerShell: Yes 4. Assign to the correct device group → Create

📅 May 15, 2025 ✎️ TheiTnotesguy

Read Full Post →

Step-by-step enrollment guides for Windows, iOS/macOS, and Android — covering both corporate-owned (Autopilot / DEP / Android Enterprise) and personal BYOD devices, plus best practices for each.

📅 May 15, 2025 ✎️ TheiTnotesguy

Read Full Post →

A complete walkthrough to configure a Conditional Access policy that enforces Multi-Factor Authentication for Operations users accessing Microsoft Teams — covering prerequisites, user group assignment, cloud app selection, conditions, grant controls, and session settings.

Prerequisites → Global Administrator or Conditional Access Administrator role → Microsoft Entra ID P1 or higher licence → Ops users added to an Ops Security Group Summary of Steps → Step 1: Sign in to Microsoft Entra Admin Center → Open Conditional Access → Step 2: Create new policy — name it Ops_ConditionalAccess_Teams_MFA → Step 3: Assign policy to the Ops Security Group → Step 4: Scope to Microsoft Teams cloud app → Step 5: Configure conditions (device platform, location, sign-in risk) → Step 6: Grant → Require multi-factor authentication → Step 7: Configure session controls (optional) → Step 8: Enable and Create the policy

📅 May 15, 2025 ✎️ TheiTnotesguy

Read Full Post →

Create a new local admin account on Intune-managed Windows devices. The script checks for existence before creating and adds the user to the Administrators group.

$Username = "LocalAdmin" $Password = ConvertTo-SecureString "Net@admin$1" -AsPlainText -Force if (-not (Get-LocalUser -Name $Username -ErrorAction SilentlyContinue)) { New-LocalUser -Name $Username -Password $Password -PasswordNeverExpires Add-LocalGroupMember -Group "Administrators" -Member $Username Write-Output "Account created." } else { Write-Output "Account already exists." }

📅 May 15, 2025 ✎️ TheiTnotesguy

Read Full Post →