andrewamason/Intune
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Intune Initial Scripts Backup

Browse Source
This commit is contained in:
Andrew Amason
2025-04-21 14:21:38 -04:00
commit 71764cd10f
241 changed files with 28218 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

292
intune/Intune Scripts/Correct-PrimaryUser.ps1 Normal file
View File

@@ -0,0 +1,292 @@
#Get All Windows 10 Intune Managed Devices for the Tenant
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
function Get-Win10IntuneManagedDevice {
<#
.SYNOPSIS
This gets information on Intune managed device
.DESCRIPTION
This gets information on Intune managed device
.EXAMPLE
Get-Win10IntuneManagedDevice
.NOTES
NAME: Get-Win10IntuneManagedDevice
#>
[cmdletbinding()]
param
(
[parameter(Mandatory=$false)]
[ValidateNotNullOrEmpty()]
[string]$deviceName
)
$graphApiVersion = "beta"
try {
if($deviceName){
$Resource = "deviceManagement/managedDevices?`$filter=deviceName eq '$deviceName'"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value
}
else {
$Resource = "deviceManagement/managedDevices?`$filter=(((deviceType%20eq%20%27desktop%27)%20or%20(deviceType%20eq%20%27windowsRT%27)%20or%20(deviceType%20eq%20%27winEmbedded%27)%20or%20(deviceType%20eq%20%27surfaceHub%27)))"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value
}
} catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
throw "Get-IntuneManagedDevices error"
}
}
function Get-IntuneDevicePrimaryUser {
<#
.SYNOPSIS
This lists the Intune device primary user
.DESCRIPTION
This lists the Intune device primary user
.EXAMPLE
Get-IntuneDevicePrimaryUser
.NOTES
NAME: Get-IntuneDevicePrimaryUser
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
[string] $deviceId
)
$graphApiVersion = "beta"
$Resource = "deviceManagement/managedDevices"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)" + "/" + $deviceId + "/users"
try {
$primaryUser = Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get
return $primaryUser.value."id"
} catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
throw "Get-IntuneDevicePrimaryUser error"
}
}
#$authtoken = Get-AuthToken -User andrew.amason@carecentrix.com
$Devices = Get-Win10IntuneManagedDevice | where usersLoggedOn -ne $Null
Foreach ($Device in $Devices) {
Write-Host "Device name:" $device."deviceName" -ForegroundColor Cyan
$IntuneDevicePrimaryUser = Get-IntuneDevicePrimaryUser -deviceId $Device.id
#Check if there is a Primary user set on the device already
if ($IntuneDevicePrimaryUser -eq $null) {
Write-Host "No Intune Primary User Id set for Intune Managed Device" $Device."deviceName" -f Red
}
else {
$PrimaryAADUser = Get-AzureADUser -ObjectId $IntuneDevicePrimaryUser
Write-Host "Intune Device Primary User:" $PrimaryAADUser.displayName
}
#Get the objectID of the last logged in user for the device, which is the last object in the list of usersLoggedOn
$LastLoggedInUser = ($Device.usersLoggedOn[-1]).userId
#Using the objectID, get the user from the Microsoft Graph for logging purposes
$User = Get-AzureADUser -ObjectId $LastLoggedInUser
#Check if the current primary user of the device is the same as the last logged in user
if ($IntuneDevicePrimaryUser -notmatch $User.ObjectId) {
#If the user does not match, then set the last logged in user as the new Primary User
$SetIntuneDevicePrimaryUser = Set-IntuneDevicePrimaryUser -IntuneDeviceId $Device.id -userId $User.id
if ($SetIntuneDevicePrimaryUser -eq "") {
Write-Host "User"$User.displayName"set as Primary User for device '$($Device.deviceName)'..." -ForegroundColor Green
}
}
else {
#If the user is the same, then write to host that the primary user is already correct.
Write-Host "The user '$($User.displayName)' is already the Primary User on the device..." -ForegroundColor Yellow
}
Write-Host
}

2
intune/Intune Scripts/Disable_MSOnline.ps1 Normal file
View File

@@ -0,0 +1,2 @@
new-item -Path HKCU:\Software\Policies\Microsoft\Office\16.0\Common\Internet
New-ItemProperty -Path HKCU:\Software\Policies\Microsoft\Office\16.0\Common\Internet -Name OnlineStorage -PropertyType DWORD -Value 3

67
intune/Intune Scripts/rotate_all_bitlocker_keys.ps1 Normal file
View File

@@ -0,0 +1,67 @@
<#
.SYNOPSIS
Rotates All BitLocker keys for all Windows devices in Intune using Graph API.
.DESCRIPTION
This script connects to Intune via Graph API and rotates the BitLocker keys for all managed Windows devices.
.NOTES
Author: Ugur Koc
GitHub: https://github.com/ugurkocde
Twitter: https://x.com/UgurKocDe
LinkedIn: https://www.linkedin.com/in/ugurkocde/
Version: 1.0
Created: 07/20/2024
Version: 1.1 (07/20/2024)
- Changed Authentication to Connect-MgGraph -Scopes only.
Version: 1.2 (07/20/2024)
- Added pagination.
- Moved the OS Filter to the top, to avoid unnecessary API calls.
.REQUIREMENTS
- PowerShell 5.1 or later
- Microsoft.Graph.Authentication module
.LINK
https://learn.microsoft.com/en-us/graph/api/intune-devices-manageddevice-rotatebitlockerkeys?view=graph-rest-beta
.EXAMPLE
.\rotate_all_bitlocker_keys.ps1
.NOTES
Disclaimer: This script is provided AS IS without warranty of any kind. Use it at your own risk.
#>
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All" -NoWelcome
# Get all managed Windows devices from Intune with pagination
$managedDevices = @()
$nextLink = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?`$select=id,deviceName,operatingSystem&`$filter=operatingSystem eq 'Windows'"
# This loop will get all managed devices from Intune with pagination
while ($nextLink) {
$response = Invoke-MgGraphRequest -Method GET -Uri $nextLink
$managedDevices += $response.value
$nextLink = $response.'@odata.nextLink'
}
foreach ($device in $managedDevices) {
$deviceId = $device.id
$deviceName = $device.deviceName
Write-Host "Processing device: $deviceName" -ForegroundColor Cyan
# Attempt to rotate the BitLocker keys
try {
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$deviceId')/rotateBitLockerKeys" -ContentType "application/json"
Write-Host "Successfully rotated BitLocker keys for device $deviceName" -ForegroundColor Green
}
catch {
Write-Host "Failed to rotate BitLocker keys for device $deviceName" -ForegroundColor Red
Write-Host "Error: $_" -ForegroundColor Red
}
}
Write-Host "BitLocker key rotation process completed." -ForegroundColor Cyan