PowerShell tutorials and guides by Microsoft MVP Jannik Reinhard — reusable scripts for Microsoft Intune, Microsoft Graph, Windows endpoint management, automation pipelines, and reporting.
In one of my previous blog posts I explained how you can use Azure Automation and Azure Cognitive Services (now Azure AI Services) to monitor the compliance state of your environment and notify you if there are major deviations. In this part of the series I want to show you how you can apply this to the deployment of your applications and also get notified if the installation of an application suddenly fails abnormally often.
Automatic assignment groups are useful when app deployment should stay consistent without manually creating a new Microsoft Entra group every time an Intune app is added. The pattern works best when group names, app names, and assignment intent follow the same convention.
In production tenants I recommend validating the group creation flow with one pilot application first. Check the created group, verify the Intune assignment, and document the naming rule before you let automation create groups for a larger application catalogue.
When creating a new app in the Intune admin center and not assigning it to AllUsers/AllDevices, this is always some work to create your own group for available/required and uninstall assignments for each app. You know I love automation. To save time and automate this work I will describe in this blog how you can create a runbook that takes this work completely over.
I have already written several blog posts about Endpoint Analytics. In the Microsoft Tech Community the question came up how to clean up the disk using Intune. This is a question that is difficult to answer generically as it is always very specific. As more and more applications and data move to the cloud and storage becomes cheaper and cheaper, the amount of storage needed on workplace devices and the problems with full hard disks are no longer as present as in the past.
In this blog I will show you how to free up disk space on your clients with high disk usage. So let’s get started.
In one of my posts I have explained how you can create and apply assignment filters. It is a very powerful feature to refine the assignment of a group. For example, you can assign a config profile to all devices and apply a filter to deploy the config profile only on Windows 11 devices within the group. To make it easier for you to start with filters I wrote a script which creates a default set of filters.
It is hard to keep track of your Intune environment. With the help of log events you can build static monitoring via Azure automation or logic apps. This is possible if you are only interested in a specific event or if you can express this via static code. However, if you want to detect anomalies, e.g. a strong increase or decrease of the device count or how many devices are compliant, it is difficult to implement this without machine learning and to set static values. In this blog series I would like to show you how you can use Azure Cognitive Services (now Azure AI Services) to build a monitoring system and send you messages based on abnormal deviations. So let’s get started.
Synchronizing an Azure AD group with a kiosk configuration profile is mainly about keeping the assignment target reliable. The group should clearly describe the kiosk scenario, the device ownership model, and the configuration profile it belongs to.
Before using the approach in production, validate the group membership, profile assignment, and device check-in behavior on a small number of test devices. This makes it easier to separate assignment problems from kiosk shell or application configuration problems.
I have already described in a previous blog how to deploy a device as a kiosk device using Intune. This actually works really well. There is only one small thing that is really inconvenient. If a Microsoft Entra ID (formerly Azure AD) user or group is selected as the logon type (only specific users are allowed to log on to these devices), this policy must not only be assigned to a group, but the allowed users must also be defined in the profile. The option also allows you to add Microsoft Entra ID users and groups, and the SIDs of these objects are written to the local group, but Windows cannot resolve the Microsoft Entra ID groups (bug or feature?). The resolution of whether the user who is trying to log in is a member of one of the groups is done by Windows via Graph; when MFA is disabled, it works. But if MFA is enabled, Windows fails to get the token. In this blog I want to show you how you can easily work around this by syncing a Microsoft Entra ID group with this configuration profile.
This post introduces the Intune Toolbox — my open-source attempt at Rebuilding Intune in PowerShell. It is a modular collection of PowerShell scripts that wrap the most common Intune admin operations (devices, apps, policies, assignments) so you can run them from your terminal instead of clicking through the admin centre.
I think everyone who works with Intune on a daily basis knows the situation that they would like to have a simple feature that would simplify their daily work. In order to close exactly these gaps I decided to code my own tool with many small features that would make the life for Intune admins easier. This was the birth of the Intune Tool Box. This tool is a WPF application that is written in PowerShell. The app has the same design as Intune but offers small helpers for the daily work. The good thing is that this app is built in such a way that it can be easily extended at any time. If you have any features in your mind that you are missing in Intune console but is possible to solve this via graph so let me know that I can add this to the app. My plan is to develop the app step by step and bring in new cool features.
With the introduction of assignment filters, the value of applicability rules has diminished. With applicability rules you could define on which OS versions a configuration profile should work. Unfortunately, the ability to configure or delete applicability rules for some configuration profile types from the console has also been removed. It is to be expected that this can happen piece by piece for further types as well. In this blog post I want to show you how you can easily remove all applicability rules and switch to filters as soon as possible.
In your environment you have multiple groups to create assignments of an app or a configuration profile. If you later realize it would be better if this was not a device group but a user group, it is hard to change this without the user having an impact or you have big efforts. I have written a script that you can convert a user group into a device group or a device group into a user group based on the user assigned to a device or based on the devices assigned to the user.
Intune offers the possibility to show per device not only the apps installed via Intune but also the apps discovered on the device (Control Panel apps). Since this view is relatively static and you only have a per device view here, it is difficult to make analyses of the complete environment, e.g. to see which app is missing in the portfolio, since this is often installed by users themselves. Why don’t we use log analytics to have more options to work with this information? In this blog I want to show you how you can do this easily with a script.
