Intune Archives - SuperUserTips

Deploy Trusted sites zone assignment using Intune

mando — Mon, 06 Nov 2023 08:04:36 +0000

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Hit the Create button and Select New policy

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create.

Give the profile desired name and click Next.

In Configurations settings, select Computer Configuration and search for keyword “Site to Zone“, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2”. See example below:

^{Learn more about Zones: https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries#zones}

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments, Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices.

Hit Next. Then Hit Review + Save button to save.

The post Deploy Trusted sites zone assignment using Intune appeared first on SuperUserTips.

Uninstall Teams chat app using remediation script and a configuration profile in Intune

mando — Tue, 31 Oct 2023 05:03:59 +0000

Windows 11 OS upgrades and new Windows 11 workstations are coming with a built-in Teams for home chat app preinstalled, intented to use with a personal Microsoft account . This can be an issue for orgs that use Teams for work or school edition as the preinstalled chat version of app remains installed even after installing Teams for work or shool, causing confusion between which one to use. Users may attempt to sign in to chat app with their work account which wont work.

Use the methods below on how to uninstall and disable the built-in chat app using Intune.

Step 1: Use a Proactive Remediation script

Proactive remediation script package will detect uninstall the Teams chat app if it exists and also configure the registry to disable auto-install of chat app in future.

For this, you’ll need to create two powershell script files, one for detecting the issue and another for remediation:

Detect_TeamsChatApp.ps1
Remediate_TeamsChatApp.ps1

You can download both files in zip format here:
TeamsChatApp_ProactiveRemediation_Files.zip

Copy paste contents of each file below to create your own files

Detect_TeamsChatApp.ps1

PowerShell

$OSversion = (Get-WmiObject -class Win32_OperatingSystem).Buildnumber
If ($OSversion -like "2*") {
    try {

        # check the reg key for teams chat app autoinstall
        If (((Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications').PSObject.Properties.Name -contains 'ConfigureChatAutoInstall') -eq $true) {
            if ( (Get-ItemPropertyValue -LiteralPath 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications' -Name 'ConfigureChatAutoInstall' -ErrorAction Stop ) -eq 0 ) {
                $RegCompliance = $true 
            }
            else { 
                $RegCompliance = $false 
            } 
        }
        else { $RegCompliance = $true }

        # check if the teams app is installed
        if ($null -eq (Get-AppxPackage -Name MicrosoftTeams) ) { $AppCompliance = $true }
        else { $AppCompliance = $false }
    
        # evaluate the compliance
        if ($RegCompliance -and $AppCompliance -eq $true) {

            Write-Host "Success, app/reg in Compliance"
            exit 0
        }
        else {
            Write-Host "Failure, app/reg detected"
            exit 1
        }
   
    
    }
    catch {
        $errMsg = $_.Exception.Message
        Write-Host $errMsg
        exit 1
    }
}
else {
    Write-Output "OS is not windows 11. Exiting"
    Exit 0
}

Remediate_TeamsChatApp.ps1

PowerShell

# Give "Administrators" group full ownership of HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications.
function enable-privilege {
    param(
        ## The privilege to adjust. This set is taken from
        ## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
        [ValidateSet(
            "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
            "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
            "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
            "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
            "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
            "SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
            "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
            "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
            "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
            "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
            "SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
        $Privilege,
        ## The process on which to adjust the privilege. Defaults to the current process.
        $ProcessId = $pid,
        ## Switch to disable the privilege, rather than enable it.
        [Switch] $Disable
    )

    ## Taken from P/Invoke.NET with minor adjustments.
    $definition = @'
 using System;
 using System.Runtime.InteropServices;
  
 public class AdjPriv
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
   ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
  {
   bool retVal;
   TokPriv1Luid tp;
   IntPtr hproc = new IntPtr(processHandle);
   IntPtr htok = IntPtr.Zero;
   retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
   tp.Count = 1;
   tp.Luid = 0;
   if(disable)
   {
    tp.Attr = SE_PRIVILEGE_DISABLED;
   }
   else
   {
    tp.Attr = SE_PRIVILEGE_ENABLED;
   }
   retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
   retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
   return retVal;
  }
 }
'@

    $processHandle = (Get-Process -id $ProcessId).Handle
    $type = Add-Type $definition -PassThru
    $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}

enable-privilege SeTakeOwnershipPrivilege 
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Communications", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::takeownership)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$me = [System.Security.Principal.NTAccount]"Administrators"
$acl.SetOwner($me)
$key.SetAccessControl($acl)

# After you have set owner you need to get the acl with the perms so you can modify it.
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators", "FullControl", "Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)

$key.Close()

# Remediation
try {
    #Disable Auto Install registry for Teams chat app
    if (((Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications').PSObject.Properties.Name -contains 'ConfigureChatAutoInstall') -eq $true) {
        Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Communications' -Name 'ConfigureChatAutoInstall' -Value 0 -Type "Dword"
    }
    else {
        Write-Output "Registry value ConfigureChatAutoInstall not found"
    }

    # uninstall the teams consumer app
    Get-AppxPackage -Name MicrosoftTeams | Remove-AppxPackage -ErrorAction stop

    # as nothing errored out, we will report success
    Write-Output "Success, regkey set and app uninstalled"
    exit 0
}

catch {
    $errMsg = $_.Exception.Message
    Write-Host $errMsg
    exit 1
}

Once you have both a detection and a remediation script file:
Launch Intune portal and navigate to Devices > Remediations > Create script package

Type in a Name for your script and hit Next button

On the Settings page, upload the Detection and the Remediation scripts created in earlier steps and hit Next

In the next step, Select any Scope tags as needed and Hit Next

Under Assignments, select your Device or User groups you would like to apply this remediation scripts and also select your preferred Schedule and interval time. I recommend running this with daily schedule repeating everyday once every morning.

Finally, under Review + create hit Create button after reviewing all settings.

After the proactive remediation implemenation you can always head to Devices > Remediations and click on the script package name you created to check the device status report

Step 2: Hide the chat icon from taskbar

The above proactive remediation script will uninstall the app but users may still see the Teams chat app icon in the taskbar which upon click can reinstall itself. Create a configuration profile in Intune to disable the Teams Chat app icon from taskbar as shown below:

Navigate to Devices > Windows > Configuration profiles and Hit Create profile button

Select Windows 10 or later for Platform and Setting Catalog for Profile type in next step and hit Create button

Next, give your profile a name and hit Next button

On Configuration settings page, click Add settings and search for “Configure Chat” in the settings picker search box on the right and press Enter. You will see category “Experience” loaded under the search. Click on Experience category and check the box next to Configure Chat Icon setting.

This will add the Configure Chat Icon setting to your Configuration settings. Select Disabled from the drop down menu next to Configure Chat Icon setting as shown below and Hit Next.

You can also set it to Hide but this will allow users to show or hide in local taskbar settings. Read more

Apply Scope tags and required and hit Next.

Under Assignments, add your desired device or user groups to apply this policy to and Hit Next.

At last, hit the Create button to finish creating and applying this Configuration profile.

Congratulations, you have now created a proactive remediation and a configuration profile to disable and block Teams home Chat app from installing

The post Uninstall Teams chat app using remediation script and a configuration profile in Intune appeared first on SuperUserTips.

Intune Last Check-in date not updating for Windows device

mando — Wed, 25 Oct 2023 08:31:38 +0000

There was a recent issue where an active device did not report its last check-in date in Intune even though it was actively checking in. No issue with performing sync from access work or school settings, app deployment and OS updates on the device. No errors are being logged in event logs either. Since device was not reporting its Last Check-in time to Intune, it caused an issue with compliance as device is now marked non-compliant in Intune for no check-in over 60 days.

Ultimately, it all came down to one of the windows service that was not running or in disabed state.

DmWapPushService : (“Device Management Wireless Application Protocol (WAP) Push message Routing Service”) , a required service for Intune to properly communicate with clients

Resolution:

Check and enable the DmWapPushService service:

Openservices.msc console
Under services list, Right-click service name “Device Management Wireless Application Protocol (WAP) Push message Routing Service” and select Properties. In the General tab of properties dialog box, select Automatic (Delayed Start) as startup type.
Hit OK

Verify that another required service “Microsoft Intune Management Extension” is enabled with startup type as “Automatic (Delayed Start)” as well and in running state.

Once the above services are in desired state, Reboot and initiate a check-in with Intune. After 5-10 mins, the last check-in time should be updating with no issues

Microsoft reference:
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-management/cannot-sync-windows-10-devices?id=5004252

The post Intune Last Check-in date not updating for Windows device appeared first on SuperUserTips.