Good day everyone. It's now been over a week since MMS MOA 2026, my brain is still drowning from all the information that was given (and fun that was had). It was great to catch up with co-workers, meet some new co-workers, and meet new people from around the world at MMS. I came away with all sorts of ideas on how we can improve our setup. It's interesting to see the Microsoft stance on things (cloud only, Intune only, blah blah blah), and then see what is actually happening out in the real world. I always have this feeling we are really behind, but then I see so many other people still running Configuration Manager and still have devices bound to Active Directory. I know MMS MOA has a little bit of bias, being historically a Configuration Manager conference, but I consider the people speaking and going to this event to be the best of the best when it comes to device management. To see people struggle with the same issues that we deal with daily....I guess that's refreshing?? It would be nice to see said issues get addressed at some point by Microsoft.

While I didn't get to do a fishing session at MMS, since I've been back home, I went on a fishing session with my son.

Look at this massive fish I reeled in Saturday! Was quite the fight to reel it in. Before I got side tracked showing off my fish, I was talking about the issues we deal with regarding Microsoft Intune. That's my inspiration for this post.

What Group Policy Did Right?​

A little bit of history, for those that have never dealt with Group Policy. With Group Policy, we had an order to how GPO's were processed. GPO's were processed in the following order:

• Group Policy Objects (GPO) are processed in the following order:
  • The local GPO is applied.
  • GPOs linked to sites are applied.
  • GPOs linked to domains are applied.
  • GPOs linked to organizational units (OUs) are applied. In a nested OU structure, GPOs linked to parent OUs are applied first, followed by GPOs linked to the child OUs.

Source: Group Policy Processing

Also with GPO, we had the concept of link order.

The GPO link with the lowest link order in the Group Policy Object Links list has precedence by default.

Lowest link order = lowest number

In this example, the GPO JoeLoveless - MicrosoftEdge - Overwrite would win out over JoeLoveless - MicrosoftEdge

In the policy JoeLoveless - Microsoft Edge, I have this configured:

In my overwrite policy, I am changing that setting to be Enabled. Then I would apply that to a targeted security group. Any workstation in that security group would then have the cast icon on the toolbar.

How Does Intune handle this?​

With Intune, this isn't the case. While other Microsoft cloud products have the concept of link order (Office Admin Center, Edge Admin Center, and I think Defender...), Intune doesn't follow this novel concept. Intune will just tell you there is a conflict in the policies, and leave it at that.

Our Attempts​

Anyone familiar with security benchmarks probably know the pain some of this can cause. You try your best to harden the workstations, then you find Group A needs this for some legacy workflow, Group B needs another of this for another legacy workflow, then you have devices that need to be in Kiosk mode so they have their own workflow. Fun times.

Attempt 1: Monolithic Profile​

Our first attempt, and this was a of a figure it out on the fly type project. We created a monolithic profile that contained all of our baseline settings. We did this with Group Policy with our core security settings, worked okay there, should work okay here too? Right? Wrong.

Denying profiles in GP is pretty consistent, if you know where the policies are, there is a good chance they'll fall off correctly. With Intune, settings are a bit all over the place and how they apply. Some write to the former GP registry values, some don't. Some write to the PolicyManager section, some don't. Some tattoo, some don't. Awfulness.

So we had a profile set this way, we would then duplicate the profile with all the settings still in and then change the settings we needed to change...this kinda worked. But we eventually decided the monolithic profile wasn't the best way. I'll explain what went wrong with Attempt 1 and Attempt 2 together.

Attempt 2: Broken Down Profiles​

I make fun of ITIL verbiage a lot. They say to "progress iteratively". Well that's what we did. Our next step was to break down the profiles into smaller chunks. Using the CIS baselines, we now broke the settings out by section.

Note: CIS makes this a lot easier if you are a CIS SecureSuite member. You can now import the JSON files into Intune

Following the same concept as Attempt #1, our process was to duplicate the profile, and modify any settings that would need to be changed:

Where This Failed​

The ultimate goal is not to have exceptions. That would be security working with whomever to make sure the processes follow the security standard...ideally. Or you just pull the settings that need exceptions and call it a day. The 2nd one probably isn't the best choice. Our goal is to continue to apply the settings no matter what, to as many devices as possible. Our process broke down when the following happened:

• Group A
  • COMP-1
  • COMP-2
  • COMP-3
  • COMP-4
  • COMP-5
• Group B
  • COMP-6
  • COMP-7
  • COMP-2
  • COMP-3
  • COMP-8

Group A needs this setting changed:

• Exclude Group A from WIN_D_CISL1_AdministrativeTemplates_PROD
• Add Group A to WIN_D_CISL1_AdministrativeTemplates-EXC_PROD

Group B needs this setting changed:

• Exclude Group B from WIN_D_CISL1_AdministrativeTemplates-WindowsComponents_PROD
• Add Group B to WIN_D_CISL1_AdministrativeTemplates-WindowsComponents-EXC_PROD

COMP-2 and COMP-3 are in both Group A and Group B. The rest of Group B does not need the exception that is applying to Group A. This is where we started to see the flaws in our logic.

The Solution​

What we have landed on, is this workflow. Note, this does create more Intune profiles, but to date, we haven't found a better way of doing this. I'm open to suggestions should anyone have any.

1. Exception needed
   1. Remove setting from main profile, create a "secondary profile" containing the default value.
   2. Duplicate the "secondary profile", create a new "exception profile" containing the changed value.

In final, the Intune profiles would look like this:

• WIN_D_CISL1_AdminTemplates-System_PROD
  • Removed the setting Turn on convenience PIN sign-in
• WIN_D_CISL1_AdminTemplates-System-ConveniencePINSignIn_PROD
• WIN_D_CISL1_AdminTemplates-System-ConveniencePINSignIn-EXC_PROD

Happy April to everyone! Hard to believe that it is already spring-ish here in Minnesota. By spring in Minnesota, that means 70 degrees one day, 35 and sleeting the next. But the grass is starting to green up, which means more time outside for cleaning up the yard from winter. With 3 dogs that's a lot of fun. With 5 acres and wind, that's a lot of sticks and branches to pick up.

Last weekend we went to Omaha for the weekend, my daughter turned 15. Her and my wife went to see Six the Musical at the Orpheum Theatre. Omaha was fun. Not really what I expected it to be, but I mean that in a good way. My son and I ate some fried chicken and wandered around downtown for a bit while the musical was going on. Even just a 5 hour drive is exhausting these days.

We're well underway with more house projects. The upstairs flooring is finished, now we're working on remodeling the laundry room. The previous owners over engineered this DIY desk. It was a pain to take apart. I was finally able to use my Karate Kid 3 teachings of John Silver and kick some boards. Unlike Daniel LaRusso, I did not need to ice my foot after kicking said desk apart.

At work, I wanted a way to report on Intune Settings Catalog policies. I was looking to do the following:

• Report on 1 or multiple profiles
  • Report on the setting name + value (and any sub values)
• Find settings that are either duplicated/conflicting/unique.
  • I needed this for baseline comparison.
• Find what SKU is supported for these settings.
  • I need this for AVD Multi-Session fun.

The Script​

I've uploaded the script to my GitHub repo, direct link is here: Export-IntuneSettingsCatalogPolicyReport.ps1

Script Rundown​

Much of the script is a bit of combination of previous work done with the IntuneDocs, and other functions I've made from time to time to gather reporting data from the Graph API. I won't go through all of the script, but I'll give bits and pieces for context before explaining what all I was looking to do:

    [CmdletBinding(DefaultParameterSetName = 'Interactive')]
    Param(
        [Parameter(Mandatory = $false, ParameterSetName = 'ByName')]
        [string[]]$PolicyName,
        [Parameter(Mandatory = $false, ParameterSetName = 'All')]
        [switch]$All,
        [string]$OutputDir,
        [ValidateSet('Markdown', 'Csv', 'All')]
        [string]$OutputFormat = 'Markdown'
    )

First with the parameters.

• PolicyName
  • Search by one or many policies, or choose All if you want to report on everything. If you choose nothing, and OutGrid-View will display and you'll be able to select which policies. I typically use the OutGrid-View, mainly because I don't always remember the exact policy names.
• OutputDir
  • Optional, will default to the $pwd if not used.
• OutputFormat
  • Defaults to Markdown. I originally built this for a markdown report, but then thought having a csv report would be useful also. We typically do a lot of our manipulation based off CSV files.

After that, we then gather the Policies, the settings and then the SettingsDefinitions for each policy.

 #region Load all policies from Graph
    $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies"
    $response = Invoke-MgGraphRequest -Uri $uri -Method GET
    $AllPolicies = $response.value

    while ($response.'@odata.nextLink') {
        $response = Invoke-MgGraphRequest -Uri $response.'@odata.nextLink' -Method GET
        $AllPolicies += $response.value
    }
    #endregion

Foreach policy, we're building a lookup table, and getting everything into the right format. Getting the sub values correct has always been tricky, this might not 100% gather all the down level data, but it should be enough for this report to get us "far enough".

#region Select policies
    $Policies = @()
    switch ($PSCmdlet.ParameterSetName) {

        'ByName' {
            foreach ($name in $PolicyName) {
                $p = $AllPolicies | Where-Object { $_.name -eq $name }
                if ($p) { $Policies += $p }
                else { Write-Warning "Policy name '$name' not found." }
            }
        }

        'All' {
            $Policies = $AllPolicies
        }

        'Interactive' {
            $Policies = $AllPolicies |
            Select-Object name, description, platforms, technologies, id |
            Out-GridView -Title "Select one or more policies to include in the report" -PassThru
        }
    }

    if ($Policies.Count -eq 0) {
        Write-Warning "No policies selected."
        return
    }
    #endregion

    #region Collect settings for each policy
    $PolicyDataList = @()
    $SettingPolicyMap = @{}   # settingDefinitionId = List[policyName]
    $SettingValueMap = @{}   # "settingDefId||value" = List[policyName]

    foreach ($policy in $Policies) {

        Write-Output "Processing: $($policy.name)"

        # Get settings with definitions expanded
        $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($policy.id)')/settings?`$expand=settingDefinitions"
        $response = Invoke-MgGraphRequest -Uri $uri -Method GET
        $rawSettings = $response.value

        while ($response.'@odata.nextLink') {
            $response = Invoke-MgGraphRequest -Uri $response.'@odata.nextLink' -Method GET
            $rawSettings += $response.value
        }

        # Build definition lookup: settingDefinitionId = definition object
        $DefLookup = @{}
        foreach ($item in $rawSettings) {
            if ($item.settingDefinitions) {
                foreach ($def in $item.settingDefinitions) {
                    if (-not $DefLookup.ContainsKey($def.id)) {
                        $DefLookup[$def.id] = $def
                    }
                }
            }
        }

        # Flatten setting instances
        $PolicySettings = @()

        foreach ($item in $rawSettings) {
            $stack = [System.Collections.ArrayList]::new()
            [void]$stack.Add([PSCustomObject]@{ Instance = $item.settingInstance; Depth = 0 })

            while ($stack.Count -gt 0) {
                $frame = $stack[$stack.Count - 1]
                $stack.RemoveAt($stack.Count - 1)

                $inst = $frame.Instance
                $depth = $frame.Depth
                if (-not $inst) { continue }

                $defId = $inst.settingDefinitionId
                $odataType = $inst.'@odata.type'

                $def = if ($DefLookup.ContainsKey($defId)) { $DefLookup[$defId] } else { $null }
                $displayName = if ($def) { $def.displayName } else { $defId }

                $value = switch -Regex ($odataType) {

                    'choiceSettingInstance$' {
                        $raw = $inst.choiceSettingValue.value
                        if ($def -and $def.options) {
                            $opt = $def.options |
                            Where-Object { $_.itemId -eq $raw } |
                            Select-Object -First 1
                            if ($opt) { $opt.displayName } else { $raw }
                        }
                        else { $raw }
                    }

                    'simpleSettingInstance$' {
                        [string]$inst.simpleSettingValue.value
                    }

                    'simpleSettingCollectionInstance$' {
                        ($inst.simpleSettingCollectionValue | ForEach-Object { [string]$_.value }) -join '; '
                    }

                    'choiceSettingCollectionInstance$' {
                        $vals = foreach ($c in $inst.choiceSettingCollectionValue) {
                            $cv = $c.value
                            if ($def -and $def.options) {
                                $opt = $def.options |
                                Where-Object { $_.itemId -eq $cv } |
                                Select-Object -First 1
                                if ($opt) { $opt.displayName } else { $cv }
                            }
                            else { $cv }
                        }
                        $vals -join '; '
                    }

                    'groupSettingInstance$' { '' }
                    'groupSettingCollectionInstance$' { '' }
                    default { $odataType }
                }

                # Info URL — first entry from infoUrls
                $infoUrl = ''
                if ($def -and $def.infoUrls -and $def.infoUrls.Count -gt 0) {
                    $infoUrl = "[Docs]($($def.infoUrls[0]))"
                }

                # Platform from the definition applicability
                $defPlatform = if ($def -and $def.applicability -and $def.applicability.platform) {
                    $def.applicability.platform
                } else { '' }

                # Windows SKUs — $null means not a Windows setting (SKUs not applicable).
                # Empty array means Windows setting where all SKUs are supported.
                $isWindowsSetting = $defPlatform -match 'windows'
                $supportedSkus = if (-not $isWindowsSetting) {
                    $null
                } elseif ($def.applicability.windowsSkus) {
                    @($def.applicability.windowsSkus)
                } else { @() }

                $PolicySettings += [PSCustomObject]@{
                    SettingDefinitionId = $defId
                    DisplayName         = $displayName
                    Value               = $value
                    Depth               = $depth
                    InfoUrl             = $infoUrl
                    Platform            = $defPlatform
                    WindowsSkus         = $supportedSkus
                }

                # Push children in reverse so first child processes first
                $children = $null
                if ($odataType -match 'choiceSettingInstance$') {
                    $children = @($inst.choiceSettingValue.children)
                }
                elseif ($odataType -match 'groupSettingInstance$') {
                    $children = @($inst.groupSettingValue.children)
                }
                elseif ($odataType -match 'groupSettingCollectionInstance$') {
                    $children = @($inst.groupSettingCollectionValue | ForEach-Object { $_.children })
                }

                if ($children) {
                    for ($i = $children.Count - 1; $i -ge 0; $i--) {
                        [void]$stack.Add([PSCustomObject]@{ Instance = $children[$i]; Depth = $depth + 1 })
                    }
                }
            }
        }

        # Track settingDefinitionId = policies and settingDefId+value = policies
        foreach ($s in $PolicySettings) {
            if (-not $SettingPolicyMap.ContainsKey($s.SettingDefinitionId)) {
                $SettingPolicyMap[$s.SettingDefinitionId] = [System.Collections.Generic.List[string]]::new()
            }
            if ($SettingPolicyMap[$s.SettingDefinitionId] -notcontains $policy.name) {
                $SettingPolicyMap[$s.SettingDefinitionId].Add($policy.name)
            }

            $valueKey = "$($s.SettingDefinitionId)||$($s.Value)"
            if (-not $SettingValueMap.ContainsKey($valueKey)) {
                $SettingValueMap[$valueKey] = [System.Collections.Generic.List[string]]::new()
            }
            if ($SettingValueMap[$valueKey] -notcontains $policy.name) {
                $SettingValueMap[$valueKey].Add($policy.name)
            }
        }

        $PolicyDataList += [PSCustomObject]@{
            Name        = $policy.name
            Description = $policy.description
            Platform    = $policy.platforms
            Settings    = $PolicySettings
        }
    }

    # settingDefinitionId appears in multiple policies
    $DuplicateIds = $SettingPolicyMap.Keys | Where-Object { $SettingPolicyMap[$_].Count -gt 1 }
    # settingDefinitionId appears in exactly 1 policy
    $UniqueIds = $SettingPolicyMap.Keys | Where-Object { $SettingPolicyMap[$_].Count -eq 1 }
    # same settingDefinitionId + same value in multiple policies
    $DuplicateValueKeys = $SettingValueMap.Keys | Where-Object { $SettingValueMap[$_].Count -gt 1 }
    # settingDefinitionId in multiple policies with at least one differing value
    $ConflictIds = $DuplicateIds | Where-Object {
        $defId = $_
        ($SettingValueMap.Keys | Where-Object { ($_ -split '\|\|', 2)[0] -eq $defId }).Count -gt 1
    }
    #endregion

Here we are building the markdown report. A lot of this is just manipulating the output into the right markdown format and table format.

#region Build Markdown
    $md = [System.Text.StringBuilder]::new()

    $null = $md.AppendLine("# Intune Settings Catalog Policy Report")
    $null = $md.AppendLine("")
    $null = $md.AppendLine("**Generated:** $(Get-Date -Format 'yyyy-MM-dd HH:mm')")
    $null = $md.AppendLine("")

    # Summary table
    $null = $md.AppendLine("## Policies")
    $null = $md.AppendLine("")
    $null = $md.AppendLine("| Policy Name | Platform | Top-Level Settings |")
    $null = $md.AppendLine("| --- | --- | --- |")
    foreach ($pd in $PolicyDataList) {
        $topCount = ($pd.Settings | Where-Object { $_.Depth -eq 0 }).Count
        $null = $md.AppendLine("| $($pd.Name) | $($pd.Platform) | $topCount |")
    }
    $null = $md.AppendLine("")

    if ($DuplicateIds.Count -gt 0) {
        $null = $md.AppendLine(">  **Bold** = same setting in multiple policies with the same value.")
        $null = $md.AppendLine("")
        $null = $md.AppendLine("> *Italic* = same setting in multiple policies with differing values.")
        $null = $md.AppendLine("")
    }

    # Per-policy sections
    foreach ($pd in $PolicyDataList) {
        $null = $md.AppendLine("---")
        $null = $md.AppendLine("")
        $null = $md.AppendLine("### $($pd.Name)")
        $null = $md.AppendLine("")
        if ($pd.Description) {
            $null = $md.AppendLine("*$($pd.Description)*")
            $null = $md.AppendLine("")
        }
        $null = $md.AppendLine("**Platform:** $($pd.Platform)")
        $null = $md.AppendLine("")
        $null = $md.AppendLine("| Setting | Sub-Setting | Value | Supported Platform | Supported SKUs | Unsupported SKUs |")
        $null = $md.AppendLine("| --- | --- | --- | --- | --- | --- |")

        $allSkus = @(
            'windowsHome', 'windowsProfessional', 'windowsEnterprise', 'windowsEducation', 'windowsMultiSession',
            'windowsCloudN', 'windowsCPC', 'windows11SE', 'iotEnterprise', 'iotEnterpriseSEval',
            'surfaceHub', 'hololens', 'hololensEnterprise', 'holographicForBusiness'
        )

        foreach ($s in $pd.Settings) {
            $isDupe     = $DuplicateIds -contains $s.SettingDefinitionId
            $valueKey   = "$($s.SettingDefinitionId)||$($s.Value)"
            $isConflict = $isDupe -and ($SettingValueMap[$valueKey].Count -lt $SettingPolicyMap[$s.SettingDefinitionId].Count)

            # Wrap display name in a doc link if one is available
            $linkedName = if ($s.InfoUrl) {
                $url = $s.InfoUrl -replace '^\[Docs\]\(|\)$', ''
                "[$($s.DisplayName)]($url)"
            } else { $s.DisplayName }

            $formatted = if ($isConflict) { "*$linkedName*" } elseif ($isDupe) { "**$linkedName**" } else { $linkedName }

            if ($s.Depth -eq 0) {
                $settingCell    = $formatted
                $subSettingCell = ""
            }
            else {
                $settingCell    = ""
                $subSettingCell = $formatted
            }

            if ($null -eq $s.WindowsSkus) {
                $supportedCell   = ''
                $unsupportedCell = ''
            } else {
                $supportedCell   = ($allSkus | Where-Object { $s.WindowsSkus.Count -eq 0 -or $s.WindowsSkus -contains $_ } | ForEach-Object { $_ -replace '^windows', '' }) -join '<br>'
                $unsupportedCell = ($allSkus | Where-Object { $s.WindowsSkus.Count -gt 0 -and $s.WindowsSkus -notcontains $_ } | ForEach-Object { $_ -replace '^windows', '' }) -join '<br>'
            }

            $null = $md.AppendLine("| $settingCell | $subSettingCell | $($s.Value) | $($s.Platform) | $supportedCell | $unsupportedCell |")
        }
        $null = $md.AppendLine("")
    }

    # Conflicting Settings
    $null = $md.AppendLine("---")
    $null = $md.AppendLine("")
    $null = $md.AppendLine("## Values")
    $null = $md.AppendLine("")
    $null = $md.AppendLine("### Conflicting Values")
    $null = $md.AppendLine("")

    if ($ConflictIds.Count -gt 0) {
        $null = $md.AppendLine("The following settings are configured in multiple policies with different values.")
        $null = $md.AppendLine("")
        $null = $md.AppendLine("| Setting | Policy | Value |")
        $null = $md.AppendLine("| --- | --- | --- |")

        foreach ($defId in ($ConflictIds | Sort-Object)) {
            $displayName = $defId
            foreach ($pd in $PolicyDataList) {
                $match = $pd.Settings | Where-Object { $_.SettingDefinitionId -eq $defId } | Select-Object -First 1
                if ($match) { $displayName = $match.DisplayName; break }
            }
            foreach ($policyName in ($SettingPolicyMap[$defId] | Sort-Object)) {
                $pd  = $PolicyDataList | Where-Object { $_.Name -eq $policyName }
                $val = ($pd.Settings | Where-Object { $_.SettingDefinitionId -eq $defId } | Select-Object -First 1).Value
                $null = $md.AppendLine("| $displayName | $policyName | $val |")
                $displayName = ""   # only show setting name on first row
            }
        }
    }
    else {
        $null = $md.AppendLine("No conflicting settings found.")
    }
    $null = $md.AppendLine("")

    # Duplicate Values
    $null = $md.AppendLine("---")
    $null = $md.AppendLine("")
    $null = $md.AppendLine("### Duplicate Values")
    $null = $md.AppendLine("")

    if ($DuplicateValueKeys.Count -gt 0) {
        $null = $md.AppendLine("The following settings have identical values configured in multiple policies.")
        $null = $md.AppendLine("")
        $null = $md.AppendLine("| Setting | Policy | Value |")
        $null = $md.AppendLine("| --- | --- | --- |")

        foreach ($key in ($DuplicateValueKeys | Sort-Object)) {
            $defId, $val = $key -split '\|\|', 2
            $displayName = $defId
            foreach ($pd in $PolicyDataList) {
                $match = $pd.Settings | Where-Object { $_.SettingDefinitionId -eq $defId } | Select-Object -First 1
                if ($match) { $displayName = $match.DisplayName; break }
            }
            foreach ($policyName in ($SettingValueMap[$key] | Sort-Object)) {
                $null = $md.AppendLine("| $displayName | $policyName | $val |")
                $displayName = ""
            }
        }
    }
    else {
        $null = $md.AppendLine("No duplicate values found.")
    }
    $null = $md.AppendLine("")

    # Unique Values
    $null = $md.AppendLine("---")
    $null = $md.AppendLine("")
    $null = $md.AppendLine("### Unique Values")
    $null = $md.AppendLine("")

    if ($UniqueIds.Count -gt 0) {
        $null = $md.AppendLine("The following settings are configured in only one policy.")
        $null = $md.AppendLine("")
        $null = $md.AppendLine("| Setting | Value | Policy |")
        $null = $md.AppendLine("| --- | --- | --- |")

        foreach ($defId in ($UniqueIds | Sort-Object)) {
            $policyName = $SettingPolicyMap[$defId][0]
            $pd = $PolicyDataList | Where-Object { $_.Name -eq $policyName }
            $match = $pd.Settings | Where-Object { $_.SettingDefinitionId -eq $defId } | Select-Object -First 1
            $displayName = if ($match) { $match.DisplayName } else { $defId }
            $val = if ($match) { $match.Value } else { "" }
            $null = $md.AppendLine("| $displayName | $val | $policyName |")
        }
    }
    else {
        $null = $md.AppendLine("No unique values found.")
    }
    $null = $md.AppendLine("")
    #endregion

    #region Write output
    if ($OutputFormat -in 'Markdown', 'All') {
        $md.ToString() | Out-File -FilePath $OutputFilePath -Encoding UTF8

        if (Test-Path $OutputFilePath) {
            Write-Output "Markdown file = $OutputFilePath."
        }
        else {
            Write-Warning "No Markdown file created."
        }
    }

And finally, the CSV format. For the CSV format, the only difference really is needing to add columns for the Unique, Duplicate, or Conflicting settings.

if ($OutputFormat -in 'Csv', 'All') {
        $csvAllSkus = @(
            'windowsHome', 'windowsProfessional', 'windowsEnterprise', 'windowsEducation', 'windowsMultiSession',
            'windowsCloudN', 'windowsCPC', 'windows11SE', 'iotEnterprise', 'iotEnterpriseSEval',
            'surfaceHub', 'hololens', 'hololensEnterprise', 'holographicForBusiness'
        )

        $csvRows = foreach ($pd in $PolicyDataList) {
            foreach ($s in $pd.Settings) {
                $supported   = if ($null -eq $s.WindowsSkus) { '' } else { ($csvAllSkus | Where-Object { $s.WindowsSkus.Count -eq 0 -or $s.WindowsSkus -contains $_ } | ForEach-Object { $_ -replace '^windows', '' }) -join '; ' }
                $unsupported = if ($null -eq $s.WindowsSkus) { '' } else { ($csvAllSkus | Where-Object { $s.WindowsSkus.Count -gt 0 -and $s.WindowsSkus -notcontains $_ } | ForEach-Object { $_ -replace '^windows', '' }) -join '; ' }
                $valueKey    = "$($s.SettingDefinitionId)||$($s.Value)"
                [PSCustomObject]@{
                    Policy             = $pd.Name
                    Setting            = if ($s.Depth -eq 0) { $s.DisplayName } else { '' }
                    SubSetting         = if ($s.Depth -gt 0) { $s.DisplayName } else { '' }
                    Value              = $s.Value
                    InfoUrl            = $s.InfoUrl -replace '^\[Docs\]\(|\)$', ''
                    SupportedPlatform  = $s.Platform
                    SupportedSKUs      = $supported
                    UnsupportedSKUs    = $unsupported
                    Unique             = if ($UniqueIds -contains $s.SettingDefinitionId) { 'x' } else { '' }
                    Duplicate          = if ($DuplicateValueKeys -contains $valueKey) { 'x' } else { '' }
                    Conflicting        = if ($ConflictIds -contains $s.SettingDefinitionId) { 'x' } else { '' }
                }
            }
        }

        $csvRows | Export-Csv -Path $CsvOutputFilePath -NoTypeInformation -Encoding UTF8

        if (Test-Path $CsvOutputFilePath) {
            Write-Output "CSV file = $CsvOutputFilePath."
        }
        else {
            Write-Warning "No CSV file created."
        }
    }
    #endregion

Reasoning​

Why is all this needed? Well, I have multiple reasons.

Reason #1: Operating System SKU​

Once a policy is created, there isn't really a great way to tell within Intune if a policy is actually applicable to the device you are applying it to.

When you create a new policy, it's somewhat easier, but not the most intuitive either. You have to ensure you are filtering before creating the policy, or choosing the setting:

After the profile is created, there is no way to filter from this view to the supported OS.

At that point, to really know what is applying correctly is to do the following steps:

1. Go to the device
2. Click Device Configuration
3. Open a policy
4. Look at all the settings, find ones that say Not Applicable.

Now do that for each profile you create. We've mainly ran into that with Azure Virtual Desktop Multi-Session hosts.

Policy CSP Documentation​

To make matters even worse, when you go to the CSP page in the Microsoft Learn documentation, there is 0 reference to that SKU (or all the SKUs)

Storage Sense CSP

If you go by the CSP documentation, Intune supports the following:

• Pro
• Enterprise
• Education
• IoT Enterprise / IoT Enterprise LTSC

After doing a dump from the Graph API, I found references to the following SKUs:

• WindowsHome
• WindowsProfessional
• WindowsEnterprise
• WindowsEducation
• WindowsMultiSession
• WindowsCloudN
• WindowsCPC
• Windows11SE
• iotEnterprise
• iotEnterpriseSEval
• surfaceHub
• hololens
• hololensenterprise
• holographicForBusiness

Maybe the Holo/Surface settings are referenced directly on policies that are supported, but for the most part, this seems to be pretty inaccurate. With the Learn documentation not referencing MultiSession, it would seem that none of the settings are supported (when in fact they are). Until you get into it, you don't really see what is applying and not applying.

Reason #2: Reporting on One or Multiple Profiles​

Another reason for this, is wanting to compare multiple profiles. In the Group Policy days, we had PolicyAnalyzer, which allowed us to compare multiple GPOs and there settings, allowing for easy de-duping of policies when doing migrations. There really isn't a great way to do that in Intune. I believe I've seen some sites out there that allow you to connect your tenant to their site and compare policies. Personally, not too fond of that idea. I wanted something that I had more control over, and can just run on an ad-hoc basis.

Currently, we're running the enterprise flavor of the CIS benchmark, but have been talking of switching over to the Intune flavor. There is also the Windows Baseline that is in Intune that comes from Microsoft. Using this, I can download the .json files from CIS' Build Kit, import them into my tenant and then compare to the Microsoft baseline.

Here I am selecting multiple profiles (and then the Microsoft benchmark).

I now have this beautiful report here in both CSV or Markdown format:

Markdown

CSV

Looking at the report, I can now see the conflicts between what Microsoft recommends vs. CIS recommendation.

If we wanted, we could compare ALL the policies in our tenant and easily find what is being set in multiple places. Intune will show you if there is a policy conflict (although not always accurate), but that's only if the setting is applied to the same group multiple times. What if there are two policies going out to two different groups? We'd want to consolidate that and have less policies.

Wrap-Up​

Well that's it, I might have another post here before MMS in May, but we'll see. Yard work, hikes, camping, all that fun stuff is on the horizon. Hopefully this post (and script) is useful for others. Let me know if you run into any issues or see anything that could be of value for additions.

Happy March everyone! I don't have a ton of updates as far as life events goes. It's the middle of March, and where I am at, all the snow had melted away....and then we got dumped on overnight with a good amount of snow. Mother Nature has a fun way of torturing us in Minnesota, every time you think you are in the clear weatherwise, there are other plans in store. Last night the mrs. and I went out for a St. Patrick's Day event at a local bar we go to. A fun time was had, but the next day really hits me. I'm still on the hunt for something overseas, fingers still crossed! If anyone has any leads, reach out!

Other than that, hotel is officially booked for MMS. Radison Blu...too expensive, already booked. CountryInn, also already booked. I waited too long. I'm back at the Cambria for a short little walk or bus ride each morning. Also no continental breakfast....bummer. I'm really looking forward to going to MMS again, I think this is Year 6 for me, not all consecutive.

Recently, I've been exploring a little bit more in the AI space, mainly out of curiosity and not wanting to be left behind in technology. I've used CoPilot and ChatGPT here and there, nothing too extensive and didn't really find them to be all that valuable. They help yes, but it can take a full day to get it to where you really want it to be. I haven't really explored the other models all that much, mainly just hearing about the latest on HackerNews, Reddit, or random YouTube videos and Podcasts. I have plenty of concerns with how they will work in a corporate environment, and if we are just heading backwards. I think back to the days of home grown applications, the developer leaving and nobody knowing how anything works. We've all been there as System Administrators. Now we are introducing applications with no developer ever being there, just fully AI coded applications? After years of cleaning up messes and trying to get everything standardized with vendor supported applications, here we are again.

/rant over

Algorithm Frustration​

Recently, I've became increasingly frustrated with the Internet and the constant barrage of the algorithms. The 90's-mid 2000's era of the Internet hold a special place in my heart. I miss the days of forums, random websites on Geocities/Angelfire, chat rooms, and Napster/Limewire/ShareBear/Kazaa, whatever other P2P music sites there were. While I am sure I look at that with rose colored glasses, and I am really just turning into an old man, I wish things could come back to that. Social media moderation is unachievable after you hit a certain user limit. I like the ActivityPub protocol, but don't love the Twitter style feed. Mastodon seems to have missed it's mark somewhat and there aren't the communities it needs (or I can't find them). BlueSky seems like Twitter but with just another layer on top, still being controlled by BlueSky itself.

Part of the reason I started this blog was because of the frustrations of leaving social media sites, and not having anything out there. I wanted a place of my own, whether people actually read it or not. I've always read other people's blogs, watched their YouTube videos, etc. At the same time, being able to keep up with it is a hard thing to achieve when there is so much out there.

HomeLabbing with RSS​

Wanting to get out of rabbit holes of YouTube, X, Reddit, BlueSky, etc. I started going back to RSS feeds. While there are plenty of free apps out there that will gladly give you some features as long as you provide you their e-mail address and data, they give you just enough to make you want to pay for the subscription. I am also fatigued with so many subscriptions these days. Of course, I've blogged about my homelab, and went down the rabbit hole of setting up a FreshRSS instance. I can't recommend it enough, pretty great free backend for RSS. I then tied it in with FocusReader, which is an Android application for reading the sites you aggregate.

That said, to read articles on the go while out and about, I'd need to connect to my TailScale instance to then connect back to my house. With Starlink being hit and miss at times, it was just frustrating enough to annoy me.

Why not a public RSS?​

I then got an idea in my head, why do I need to have this just on my network, and just for my consumption. I looked around for a while, and couldn't really find a great setup that was easy and out of the box to achieve this. I wanted an RSS list on the backend, and a nice interface on the front end. I didn't care who could access it. If it is just myself that is accessing it, that's fine. If others get value out of it too, even better. There are plenty of free community tools for the endpoint management space, maybe someone will find value in mine?

I'm not a developer, and am still learning GitHub Actions​

Having the idea in my brain, I decided to use Claude to try to achieve this.

I went back and forth with Claude for about 25 different responses before I finally was satisfied with what I had. Most of that back and forth was trying to get the layout and theme to what I wanted it to be. While I could have done the CSS myself, having done this for a subreddit for my favorite NBA basketball team r/Pacers, and for my site.....it was a quicker win with Claude.

The gist of the backend for the website is this:

• /scripts/fetch-feeds.js
  • A node.js script that runs on a schedule (GitHub Action) that loops through hardcoded URLs in the script. These are all curated by me, and I'm adding to them overtime. I've asked fellow co-workers for help, gathering what RSS feeds they have. I'm not close enough to the Apple community to really know what's out there enough, so using their RSS feeds was helpful.
  • GitHub action runs every 4 hours.
  • What I had for the Microsoft Learn RSS that was working on my FreshRSS instance was choking here. Fellow co-workers RSS was working better.
  • Some feeds return an error. It seems to be an issue with the blogging platform Ghost. I use https://rssfinder.app to find RSS feeds when I can't find a link on the site.
  • YouTube feeds get the thumbnail and description extracted, podcasts get the audio URLs and duration.
  • This is done in batch jobs of 4 in parallel, trying for 8 seconds before moving onto the next feed.
• Once the GitHub action finishes, the action commits to /docs/feeds.json
• GitHub Pages then serves that to an index.html file.

For the frontend:

• A vanilla JS and CSS index.html site.

The final product​

With that, I now have EndpointFeed.com

In one evening, I was able to get this stood up to show to my co-workers. From there, I added a New section, and have added websites here and there. If you see any sites that you think should be added, feel free to shoot me a message and I can get them added. Now I just need to duplicate this for all the other RSS categories I have on FreshRSS and stand up new sites.

My motivation is high lately, and I am wanting to keep the momentum going. Life has been somewhat busy on the home front, 2nd semester is in full swing for the kids. My son is taking a 7th Grade Computer Science class using code.org, so I've been helping him the most with that. The interface seems to be Scratch based, which we've dabbled with in the past. He seems to be gaining interest in computers, using that and the Lego Studio app (which seems to be a really great introduction to CAD). My daughter has a pretty heavy load of science this semester with Physical Science and Astronomy classes. I'm currently decluttering the house, selling random items on Facebook Marketplace to gear up for a potential move. I feel like I've made a pretty good haul so far, but still have so many items I need to get rid of. It's amazing what you can gather, especially when you consider yourself to not have a ton of possessions anyways. Hopefully I have more at some point on a potential move, very excited about all the different possibilities. When not trying to sell off random items, I've been heavily playing retro games. I just beat Super Mario Bros for NES, thanks to being able to save games mainly. Not nearly as frustrating as on the original NES with only so many lives.

My post this week is about gathering Intune assignments for groups in an Administrative Unit. I've seen many solutions out there for either exporting all policy assignments, or individual group assignments. In our org, we have two administrative units.

1. One for the endpoint staff to create groups in that only we control.
2. Another to create groups in that gives Desktop Support/Service Desk the ability to add/remove membership.

As we're trying to have proper hygiene in our environment, it's important to be able to cleanup groups. It's especially important to cleanup groups and make sure we're not deleting anything that is currently in use.

GitHub Scripts​

The scripts used in this blog post can be found here:

Export-IntuneGroupAssignmentsforAdministrativeUnit.ps1

Invoke-MgGraphBatchRequest.ps1

What is an Administrative Unit?​

Microsoft can definitely explain this better than me, here is the Microsoft Learn documentation on it. In our scenario, it's a way to control and segment out groups for Intune use. That said, you can also segment out devices, users, or groups.

Required Permissions​

For this to work properly, you need proper Graph permissions. There are tons of ways to go about this, we run everything through delegated permissions both in my lab and at my org. Here is what I have setup with an App Registration:

Note: Read permissions are needed in this scenario, although the screenshot shows Read/Write, I use the app for other purposes.

PowerShell Challenges​

When you are talking at an enterprise level, we're talking thousands of groups. On top of that, we're looking at multiple different API calls to Microsoft Graph for all the different scenarios.

    $resources = @(
        @{ Name = 'Configuration Policy'; Uri = 'deviceManagement/configurationPolicies'; AssignUri = 'deviceManagement/configurationPolicies/{id}/assignments' },
        @{ Name = 'Device Compliance Policy'; Uri = 'deviceManagement/deviceCompliancePolicies'; AssignUri = 'deviceManagement/deviceCompliancePolicies/{id}/assignments' },
        @{ Name = 'Device Configuration'; Uri = 'deviceManagement/deviceConfigurations'; AssignUri = 'deviceManagement/deviceConfigurations/{id}/assignments' },
        @{ Name = 'Device Health Script'; Uri = 'deviceManagement/deviceHealthScripts'; AssignUri = 'deviceManagement/deviceHealthScripts/{id}/assignments' },
        @{ Name = 'Group Policy Configuration'; Uri = 'deviceManagement/groupPolicyConfigurations'; AssignUri = 'deviceManagement/groupPolicyConfigurations/{id}/assignments' },
        @{ Name = 'Windows Autopilot'; Uri = 'deviceManagement/windowsAutopilotDeploymentProfiles'; AssignUri = 'deviceManagement/windowsAutopilotDeploymentProfiles/{id}/assignments' },
        @{ Name = 'Device Enrollment Configuration'; Uri = 'deviceManagement/deviceEnrollmentConfigurations'; AssignUri = 'deviceManagement/deviceEnrollmentConfigurations/{id}/assignments' },
        @{ Name = 'Device Shell Scripts'; Uri = 'deviceManagement/deviceShellScripts'; AssignUri = 'deviceManagement/deviceShellScripts/{id}/assignments' },
        @{ Name = 'Device Management Scripts'; Uri = 'deviceManagement/deviceManagementScripts'; AssignUri = 'deviceManagement/deviceManagementScripts/{id}/assignments' }

In my use case for this, I'm only looking at what's in the deviceManagement section of the Graph API. Yes, this needs to be expanded to include application assignments, app configuration policies, etc. But this is a starting point to build upon things. As you can see, we have 9 different sections of Microsoft graph to search through. With a normal ForEach loop for each group, this is going to take a long time. I initially started out that way, and quickly found out (well, quickly in hours) that I would need to find a different way.

Graph API Batching​

So then I went down the rabbit hole of Graph API batching. I don't consider myself an expert in this, and I am sure there are better ways of doing things. I think I got it going on best practices, but Microsoft's docs are a little confusing on how to accomplish this. It's also not natively built into the Graph commands, which is a little frustrating.I found other resources to be more helpful for starting out.

• Microsoft Learn
• Supercharge Microsoft Graph API Data Retrieval with PowerShell Batch Requests
• Microsoft Graph JSON batching using PowerShell
  • This post contains a ton of great information in the Footnotes.

Script Walkthrough​

Invoke-MgGraphBatchRequest​

The first thing I needed was a helper function that would help me loop through multiple requests.

function Invoke-MgGraphBatchRequest {
[CmdletBinding()]
param (
    [Parameter(Mandatory)]
    [array]$Requests
)

$batchUri = "https://graph.microsoft.com/beta/`$batch"

$body = @{
    requests = $Requests
} | ConvertTo-Json -Depth 10

(Invoke-MgGraphRequest -Method POST -Uri $batchUri -Body $body).responses
}

Export-IntuneGroupAssignmentsforAdministrativeUnit​

With the helper function above, I am now ready for the main script walkthrough. As with a lot of what we write, much of this is repeatable code.

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)]
    [string]$AdministrativeUnit,
    [ValidateSet('All', 'Assigned', 'Unassigned')]
    [string]$Scope = 'All'
)

# Microsoft Graph Connection check
if (-not (Get-MgContext)) {
    Write-Error "Authentication needed. Please connect to Graph."
    return
}

#region Declarations
$FunctionName = $MyInvocation.MyCommand.Name.ToString()
$date = Get-Date -Format yyyyMMdd-HHmm
if ($outputdir.Length -eq 0) { $outputdir = $pwd }
$OutputFilePath = "$OutputDir\$FunctionName-$date.csv"
$results = @()
$graphApiversion = "beta"
#endregion

# Resources
$resources = @(
    @{ Name = 'Configuration Policy'; Uri = 'deviceManagement/configurationPolicies'; AssignUri = 'deviceManagement/configurationPolicies/{id}/assignments' },
    @{ Name = 'Device Compliance Policy'; Uri = 'deviceManagement/deviceCompliancePolicies'; AssignUri = 'deviceManagement/deviceCompliancePolicies/{id}/assignments' },
    @{ Name = 'Device Configuration'; Uri = 'deviceManagement/deviceConfigurations'; AssignUri = 'deviceManagement/deviceConfigurations/{id}/assignments' },
    @{ Name = 'Device Health Script'; Uri = 'deviceManagement/deviceHealthScripts'; AssignUri = 'deviceManagement/deviceHealthScripts/{id}/assignments' },
    @{ Name = 'Group Policy Configuration'; Uri = 'deviceManagement/groupPolicyConfigurations'; AssignUri = 'deviceManagement/groupPolicyConfigurations/{id}/assignments' },
    @{ Name = 'Windows Autopilot'; Uri = 'deviceManagement/windowsAutopilotDeploymentProfiles'; AssignUri = 'deviceManagement/windowsAutopilotDeploymentProfiles/{id}/assignments' },
    @{ Name = 'Device Enrollment Configuration'; Uri = 'deviceManagement/deviceEnrollmentConfigurations'; AssignUri = 'deviceManagement/deviceEnrollmentConfigurations/{id}/assignments' },
    @{ Name = 'Device Shell Scripts'; Uri = 'deviceManagement/deviceShellScripts'; AssignUri = 'deviceManagement/deviceShellScripts/{id}/assignments' },
    @{ Name = 'Device Management Scripts'; Uri = 'deviceManagement/deviceManagementScripts'; AssignUri = 'deviceManagement/deviceManagementScripts/{id}/assignments' }
)

• The Parameters:

  • $AdministrativeUnit
    • The AU we are going to search through.
  • $Scope
  • We get three options. All/Assigned/Unassigned. This will default to All unless chosen otherwise.

• The Resources mapping:

  • I used this as a way to combine the assignURI and regular URI along with a short name for the CSV export column.

Getting the Administrative Unit details​

    #region Get AU
    $uri = "https://graph.microsoft.com/$graphApiVersion/directory/administrativeUnits?`$filter=displayName eq '$AdministrativeUnit'"
    $au = (Invoke-MgGraphRequest -Method GET -Uri $uri).value
    if ($au) {
        Write-Output "Administrative Unit: $($au.displayName) found."
    }
    if (-not $au) {
        Write-Error "Administrative Unit '$AdministrativeUnit' not found."
        return
    }
    #endregion

    #region Get Groups in AU
    $groups = @()
    $uri = "https://graph.microsoft.com/$graphApiVersion/directory/administrativeUnits/$($au.id)/members"
    do {
        $response = Invoke-MgGraphRequest -Method GET -Uri $Uri

        if ($response.value -and $response.value.Count -gt 0) {
            $groups += $response.value
        }
        elseif ($response -and $response.PSObject.Properties.Name -ne '@odata.context') {
            $groups += $response
        }

        $Uri = $response.'@odata.nextLink'
    } while ($Uri)

    $groups = $groups | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.group' }

    if ($groups) {
        Write-Output "Found $($groups.Count) groups in Administrative Unit."
    }

    if (-not $groups) {
        Write-Warning "No groups found in Administrative Unit."
        return
    }

    $groupMap = @{}
    foreach ($g in $groups) {
        $groupMap[$g.id] = @{
            GroupId   = $g.id
            GroupName = $g.displayName
            Assigned  = $false
            Items     = @()
        }
    }
    #endregion

• From here, we're going to ensure the AU actually exists.
• Next, we're going to get all the group members.
• Then we're going to make a mapping for the groups, this allows us to store the groups, putting the Assigned to $false by default.

Processing the Resources​

# Process each resource
foreach ($resource in $resources) {
    Write-Output "Scanning $($resource.Name)..."

    # Get objects
    $objects = @()
    $uri = "https://graph.microsoft.com/$graphApiVersion/$($resource.Uri)"
    do {
        $response = Invoke-MgGraphRequest -Method GET -Uri $Uri

        # Normalize response
        if ($response.value -and $response.value.Count -gt 0) {
            $objects += $response.value
        }
        elseif ($response -and $response.PSObject.Properties.Name -ne '@odata.context') {
            $objects += $response
        }

        $Uri = $response.'@odata.nextLink'
    } while ($Uri)

    if (-not $objects) { continue }

    # Normalize names
    foreach ($obj in $objects) {
        $name = $obj.displayName
        if (-not $name) { $name = $obj.name }
        if (-not $name) { $name = "" }

        $obj | Add-Member -NotePropertyName NormalizedName -NotePropertyValue $name -Force
    }

Now that we have the groups stored, we can then process each resource from the $resources array from above. One of the joys of Microsoft Graph is the inconsistency in certain spots. Sometimes we get "name", sometimes we get "displayName". So we have to be aware that not everything is the same all the time. A fun challenge sometimes.

Batching​

    $batchSize = 20
    $chunks = for ($i = 0; $i -lt $objects.Count; $i += $batchSize) {
        , $objects[$i..([Math]::Min($i + $batchSize - 1, $objects.Count - 1))]
    }

    foreach ($chunk in $chunks) {

        $requests = @()
        $i = 1

        foreach ($obj in $chunk) {
            if (-not $obj) { continue }

            $assignUrl = $resource.AssignUri.Replace("{id}", $obj.id)
            $requests += @{
                id        = "$i"
                method    = 'GET'
                url       = "/$assignUrl"
                ObjectRef = $obj
            }
            $i++
        }

        if ($requests.Count -eq 0) { continue }

        $responses = Invoke-MgGraphBatchRequest -Requests $requests

• Graph has a limit of 20 requests per batch. What we are doing here is splitting this up into chunks of 20, and then looping through and getting the assignments, rather than one by one. We're also replacing the id from the resource mapping with the actual $obj.id
• We're then sending all that to the Invoke-MgGraphBatchRequest to then process.

Processing the Requests​

foreach ($req in $requests) {
                $response = $responses | Where-Object { $_.id -eq $req.id }
                if (-not $response) { continue }

                $obj = $req.ObjectRef
                if (-not $obj) { continue }

                if ($response.status -ne 200) {
                    continue
                }

                $assignments = $response.body.value
                if (-not $assignments) { continue }

                foreach ($assignment in $assignments) {
                    #Include Assignments
                    if ($assignment.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget') {
                        $gid = $assignment.target.groupId
                        if ($gid -and $groupMap.ContainsKey($gid)) {
                            $groupMap[$gid].Assigned = $true
                            $groupMap[$gid].AssignmentType = "Include"
                            $groupMap[$gid].Items += [pscustomobject]@{
                                PolicyType = $resource.Name
                                PolicyId   = $obj.id
                                PolicyName = $obj.NormalizedName
                            }
                        }
                    }
                    #Exclude Assignments
                    if ($assignment.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget') {
                        $gid = $assignment.target.groupId
                        if ($gid -and $groupMap.ContainsKey($gid)) {
                            $groupMap[$gid].Assigned = $true
                            $groupMap[$gid].AssignmentType = "Exclude"
                            $groupMap[$gid].Items += [pscustomobject]@{
                                PolicyType = $resource.Name
                                PolicyId   = $obj.id
                                PolicyName = $obj.NormalizedName
                            }
                        }
                    }
                }
            }
        }
    }

• Now we're taking the requests and processing them for the assignments. Initially, I didn't factor in the exclusion assignments and had to figure that in.

Building and Exporting the Results​

# Build results
    foreach ($g in $groupMap.Values) {
        if ( $Scope -eq 'All' -or ($Scope -eq 'Assigned' -and $g.Assigned) -or ($Scope -eq 'Unassigned' -and -not $g.Assigned)) {
            #Assigned groups
            if ($g.Items.Count -gt 0) {
                foreach ($item in $g.Items) {
                    $results += [pscustomobject]@{
                        GroupId        = $g.GroupId
                        GroupName      = $g.GroupName
                        Assigned       = $true
                        AssignmentType = $g.AssignmentType
                        PolicyType     = $item.PolicyType
                        PolicyId       = $item.PolicyId
                        PolicyName     = $item.PolicyName
                    }
                }
            }
            else {
                #Unassigned groups
                $results += [pscustomobject]@{
                    GroupId    = $g.GroupId
                    GroupName  = $g.GroupName
                    Assigned   = $false
                    AssignmentType = ''
                    PolicyType = ''
                    PolicyId   = ''
                    PolicyName = ''
                }
            }
        }
    }

    #region Export results
    if ($results.Count -gt 0) {
        $results | Sort-Object GroupName | Export-Csv -Path $outputFilePath -NoTypeInformation
        Write-Output "Output file = $outputFilePath"
    }
    else {
        Write-Warning "No output file created."
    }
    #endregion
}

• I'm a sucker for a good CSV file. Some make pretty HTML reports, JSON files, whatever else. I prefer my data to be in a CSV, mainly for the ability to filter it all down.
• We're building arrays for both the Assigned and Unassigned groups.

CSV Results​

After running, we now have a CSV file:

• From here, we can take this CSV file, and build upon this with a function to remove the groups if not assigned.

Greetings everyone! It's almost February, winter is still in full swing, and I'm getting cranky from the cold weather. I'm looking forward to spring, and possible new adventures, I'm wanting to ride my bike more and do some camping. I've been selling off old junk on Facebook Marketplace, and trying to de-clutter what I have (not the random box of cables of course, you never know when you will need the random power cables or bluetooth adapters). In the meantime, I've been working on a solution to document our Intune policies in an automated fashion using GitHub Actions on a daily (or weekly, not sure yet?) schedule. With that, I want to write about it, mainly because I am a little pumped about it and think it's going to be a pretty nice solution. There is a lot to it, so let's dive into it.

Github Repository

Code Overview​

Since I mainly work on the configuration side of things, and not much with application packaging, or the other parts of Intune, this backup solution is focused mainly on policies. I think I've made this to be pretty expandable though, as long as you are aware of the differences in different sections of the Graph API for Intune. For this, within each section of the /deviceManagement area of Graph API, I have made the following:

• A function that exports the JSON configuration for the policy.
• A function that exports the JSON assignments for the policy.
• A function that converts the JSON configuration to Markdown format to make it pretty.
• A function that converts the JSON assignments to Markdown format to make it pretty.

This takes place for these sections within the API:

• deviceManagement/configurationPolicies
  • Settings Catalog
• deviceManagement/deviceCompliancePolicies
• deviceManagement/deviceConfigurationPolicies
  • Templates
• deviceManagement/deviceEnrollmentConfigurations
• deviceManagement/deviceHealthScripts
  • Proactive Remediations
• deviceManagement/deviceManagementScripts
  • Platform Scripts
• deviceManagement/deviceShellScripts
  • Mac Shell Scripts
• deviceManagement/groupPolicyConfigurations
  • Custom ADMX Templates
• deviceManagemnt/windowsAutopilotDeploymentProfiles

Within each function for the exports, it's using:

Get-IntuneDeviceManagementPolicy

This is a helper function that allows the code to be repeatable, calling those API sections.

From there, the two main functions that do the majority of the work for the GitHub Actions are:

Invoke-IntuneDocumentation
Invoke-IntuneAssignmentDocumentation

Both functions have two parameters, docType and outputPath

• docType
  • This defaults to All, which processes all the Export commands in the function.
  • Can be switched to specific endpoints, such as deviceManagementScripts, etc.
• outputPath
  • Where to export the files to.

Some of this could have probably been de-duplicated, but there were enough differences in the different sections that after a bit of time, to me it made a little more sense to just have the same set of functions for each section of the API. Made it easier for myself to follow, and hopefully easier for others to follow too.

Pre-Requisites​

There are some moving pieces to this setup, so some things to be aware of:

1. Need access to create an Azure App Registration
2. Need a GitHub Repository
3. Need an Intune tenant

With that said, this is also something that can be ran manually without the App Registration or using GitHub Actions, but this post will walk through mainly the GitHub Actions scenario. I'll call out the spots for a manual configuration.

Azure App Registration​

Within the Azure Portal, go to App Registrations.

API Permissions​

1. Create a new App Registration, giving it a proper name.
2. Choose API permissions from the left hand side, and add the following permissions:
   1. DeviceManagementConfiguration.Read.All
   2. DeviceManagementScripts.Read.All
   3. DeviceManagementServiceConfig.Read.All
   4. GroupMember.Read.All
3. All API permissions should be Application based permissions
   • Note: If running manually, you can add Delegated permissions
4. Don't forget to Grant admin consent

Federated Credentials​

1. Next go to Certificates & Secrets and choose Federated Credentials
2. Choose GitHub Actions deploying Azure Resources from the drop down menu.
3. Fill out the rest of the form, filling in the details of your GitHub Repository.

Overview​

1. Once finished, go to the Overview page of your Azure App Registration and take note of your Tenant ID and Application ID, you'll need this later on.

GitHub Configuration​

With the Azure portion configured, we can now configure GitHub. Start by cloning the repository here, however you see fit to do.

Environment Variables​

In GitHub, go to Settings for your repository, and we're going to setup a couple of environment variables. Pay attention to the uppercase/lowercase, as this will matter. GraphApi should also match exactly to what you put in during the Azure App Registration process.

Secrets​

• Next under Settings, go to the Security section and choose Secrets and variables and then Actions.
• Create two new secrets:
  • AZURE_CLIENT_ID
  • AZURE_TENANT_ID
• For each, add the values from your Azure App Registration.

Ruleset​

• Now go to Rules and choose Rulesets
• Create a new ruleset, naming it whatever you like.
• The settings should be as follows (some are automatically checked):
  • Enforcement Status: Active
  • Target Branch > Include by Pattern > main (or whatever the name of your branch is, might be master).
  • Restrict deletions
  • Require a pull request before merging.
  • Require status checks to pass.
    • Require branches to be up to date before merging.
    • Status checks that are required:
      • Status-Gate
  • Block force pushes.
• Save the changes.

GitHub Actions​

Under the settings, click Actions, and go to General. Then go to Workflow permissions, and check the following:

• Read and Write Permissions
• Allow GitHub Actions to create and approve pull requests

Note: If you are working in an Enterprise tenant for GitHub, you might have to have these settings changed at the organizational or even Enterprise level, depending on your setup. For our environment, I was unable to change this until an admin changed the setting at the organization level

GitHub Actions Files Overview​

There are three GitHub Actions files, located at .github/workflows of the repo:

GitHubAction-JL-IntuneDocs.yml

• This is the main file. In my file, I have this set to run at 9:00 p.m. CST every night. Once this kicks off, the following will happen:
  • All files at this folder will be removed.

"${{ env.REPO_DIR }}/Docs"

• Will login to Azure.

      - name: DEV Azure Login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          allow-no-subscriptions: true
          enable-AzPSSession: true

• Will generate new markdown files:

      - name: Generate Markdown Files
        shell: pwsh
        run: |
          $GraphTokenResponse = az account get-access-token --resource https://graph.microsoft.com
          $GraphToken = ($GraphTokenResponse | ConvertFrom-Json).accessToken
          $SecureToken = ConvertTo-SecureString $GraphToken -AsPlainText -Force
          Install-Module Microsoft.Graph.Authentication -Force -AllowClobber
          Install-Module Microsoft.Graph.Beta.DeviceManagement -Force -AllowClobber
          Connect-MgGraph -AccessToken $SecureToken
          Import-Module -Name "${{ env.REPO_DIR }}" -Force
          Invoke-IntuneDocumentation -docType all -outputPath "${{ env.REPO_DIR }}/Docs"
          Invoke-IntuneAssignmentDocumentation -doctype All -outputPath "${{ env.REPO_DIR }}/Docs"

• Configure Git
• Set the branch name
• Commit to the branch and do a push
• Then create a pull request

 # CONFIGURE GIT
      - name: Configure Git
        run: |
          git config --global user.name "Joe Loveless"
          git config --global user.email "joe@joeloveless.com"

      # SET BRANCH NAME
      - name: Set branch name
        id: vars
        run: echo "branch_name=JL-IntuneDocs-$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT

      # COMMIT and PUSH
      - name: Commit changes
        run: |
          cd "${{ env.REPO_DIR }}"
          git checkout -b ${{ steps.vars.outputs.branch_name }}
          git add .
          git commit -m "Policies: $(date +'%Y-%m-%d')" || echo "No changes to commit"
          git push origin ${{ steps.vars.outputs.branch_name }}

      # CREATE PR
      - name: Create Pull Request via REST API
        id: pr
        run: |
          echo "Creating PR from branch: ${{ steps.vars.outputs.branch_name }}"

          RESPONSE=$(curl -w "%{http_code}" -o response.json -X POST \
            -H "Authorization: Bearer $GITHUB_TOKEN" \
            -H "Accept: application/vnd.github+json" \
            https://api.github.com/repos/${{ github.repository }}/pulls \
            -d @- <<EOF
          {
            "title": "Automated Intune Docs Update",
            "head": "${{ steps.vars.outputs.branch_name }}",
            "base": "main",
            "body": "Automated documentation update for $(date +'%Y-%m-%d')."
          }
          EOF
          )

          echo "HTTP status: $RESPONSE"
          echo "Response body:"
          cat response.json

          PR_NUMBER=$(jq -r '.number' response.json)
          echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Once that is successful, a status check will run. This is basically ensuring that the first Action completed successfully, ensuring we don't have a messy merge process.

GitHubAction-JL-StatusCheck.yml

 - name: Find PR created by JL-IntuneDocs workflow
        id: find_pr
        run: |
          echo "Searching for PR with branch prefix: JL-IntuneDocs-"

          PR=$(gh pr list --state open --json number,headRefName \
               --jq '.[] | select(.headRefName | startswith("JL-IntuneDocs-")) | .number')

          echo "PR: $PR"
          echo "pr_number=$PR" >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Get PR commit SHA
        id: get_sha
        if: ${{ steps.find_pr.outputs.pr_number != '' }}
        run: |
          PR=${{ steps.find_pr.outputs.pr_number }}

          SHA=$(gh pr view "$PR" --json headRefOid --jq '.headRefOid')
          echo "PR commit SHA: $SHA"

          echo "sha=$SHA" >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Set status check on PR commit
        if: ${{ steps.get_sha.outputs.sha != '' }}
        run: |
          SHA="${{ steps.get_sha.outputs.sha }}"
          echo "Setting status on PR commit: $SHA"

          gh api \
            repos/${{ github.repository }}/statuses/$SHA \
            -f state=success \
            -f context="Status-Gate" \
            -f description="All required jobs completed successfully."
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

GitHubAction-JL-AutoMerge.yml

The last action, is to then merge the pull request into the main branch. After authentication, it's going to find the latest pull request, and then merge it into the main branch.

steps:
      - uses: actions/checkout@v4

      - name: Install GitHub CLI
        run: sudo apt-get install -y gh

      - name: Authenticate GitHub CLI
        run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token

      - name: Find PR created by JL-IntuneDocs workflow
        id: find_pr
        run: |
          PR=$(gh pr list --state open --json number,headRefName \
               --jq '.[] | select(.headRefName | startswith("JL-IntuneDocs-")) | .number')
          echo "pr_number=$PR" >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Enable auto-merge (rebase)
        if: ${{ steps.find_pr.outputs.pr_number != '' }}
        run: gh pr merge ${{ steps.find_pr.outputs.pr_number }} --auto --squash --delete-branch

Markdown Output​

Policy Documents​

My initial goal for this project was to convert the entire JSON file to Markdown, using PSObjects. In attempting to do that, starting with the Settings Catalog section, I found so many different variables, that it became a battle I didn't want to fight anymore.

For Settings Catalog alone, there are the following different setting types:

• optionValue
• choiceSettingValue
• simpleSettingValue
• ConfigurationStringSettingValue
• choiceSettingCollectionValue
• groupSettingCollectionValue

Within the old Templates area, I ran into differences with OMA-URI, Certificates, templates, etc.

Similar with the Group Policy area too, which was more annoying because that is the least used section in our org....

And I think I am probably missing some. Within those, I then ran into child items...and then more child items....and more child items (and probably even more). It got to the point where every time I went back to this project, I'd confuse myself more on where I was at with it.

At some point, I ran across Sandy Zeng's GitHub and found the idea of outputting the JSON for each setting instead. With that, I then came up with what I wanted to run with on this.

I'm taking out the items I find most valuable within each setting:

• Name
• Description
• Full URI
• InfoURL

For certain configurations (Scripts, XML, Certificates), the conversion functions will decode the files so you can get the actual script content displayed. Here you can see the example output from one of the default Remedation scripts from Microsoft. Update Stale Group Policies

The rest is the json file, split out for each setting. My repo has examples from my Intune test lab that you can check out.

Assignment Documents​

When the Invoke-IntuneAssignmentDocumentation runs, a subfolder is created under /Docs/Assignments. The JSON for the Policy documents will create an assignments link, based off the same name of the policy. From there you can click that link in the markdown file, and go into the Assignments page.

The assignments page will give you each group assigned to the policy. I have another helper function within this that takes the GroupID, and looks up the actual Entra group display name. If the group Id is 'adadadad-808e-44e2-905a-0b7873a8a531', then the output will be All Devices, if the group ID is 'acacacac-9df4-4c7d-9d50-4ef0226f57a9', the output will be All Users.

The assignments page also gives you the JSON output, similar to what is being done with the policies, just on an assignment basis and not a setting basis.

Final Thoughts​

What I like about this configuration is the ability to have branches, so you can get a historical view of how your policies or assignments have changed over time. With GitHub, you have a nice repository you can search for keywords off of, something Intune is sorely lacking today. Publish this repository to an internal GitHub Pages setup, and then you have a nice documentation page you can give to your Service Desk or Desktop Support staff for easier troubleshooting.

Let me know what you think, would love to gather some feedback or potential issues that you see with this!

Happy weekend everyone, I'm back with another post for the month. I'd like to say I've been busy and productive, but that's not really the case. I am trying to lay low and stay sane at the moment. To distract myself, I recently picked up a TrimUI Brick....actually my mom got it for me for my birthday (yes my mom bought me a birthday present in my 40s). I've been burnt out recently on PS5 gaming, annoyed by the fact that there is not an end in sight to games anymore. There is always some expansion pack, open world, or micro transaction. As you can tell, I f'n love the 90's and early 2000's nostalgia from my childhood. It probably wasn't as great as I remember (hence my someone fragile mental state at times), but dammit, we had the best of both worlds. Life without the internet + life with the internet. Since I got the retro handheld, I've been playing a lot of Donkey Kong Country and NHL 94 to keep me distracted.

But enough about my personal updates, this blog post is more about getting back into what the original theme about this site was going to be, writing about endpoint management and capturing my thoughts on it. Last year, I setup a Hyper-V lab for ConfigMgr, Intune, and Active Directory. This post deviates a little bit from the ConfigMgr and AD side of things, and focuses more on the Intune side. I have a test tenant that has been sitting dormant for a while. I figured, why not start with the basics a little bit and configure Windows Autopilot in a Hyper-V scenario?

This post is not going to walk through setting up Hyper-V or Microsoft Intune, if you need help with that, check out my post from last year on setting up an Intune lab.

Preparation, downloading a Windows 11 ISO​

The first thing we need to do is download a Windows 11 ISO. There are plenty of ways to do this, if you have access to Visual Studio subscriptions, you can get it there. For me, I am just going to download the ISO from Microsoft directly. The link is below:

https://www.microsoft.com/en-us/software-download/windows11

Once downloaded, open the file and you'll want to choose ISO file during the setup assistant.

This might take a minute....

Autopilot Configuration​

To configure Autopilot, we basically have 3 things we need to do:

1. Import the hardware hash (will do this later during the VM creation)
2. Create and assign an Autopilot profile.
3. Create a device group for the Autopilot devices

Let's work backwards on this, makes total sense.

Creating the device group for Autopilot devices​

Let's go over to the Entra portal, and go to Groups.

We're going to create a new group:

We want the group to be a Dynamic Device group.

(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))

This query retrieves any device that is registered with Windows Autopilot.

Create device groups for Windows Autopilot

Create and assign an Autopilot profile​

Now we're going to head over to Microsoft Intune, and create the Autopilot profile.

From the Intune portal:

Devices > Enrollment > Deployment Profiles

Create a new profile and give it a proper name:

In this case, we're going to choose a User-Driven profile and give it a naming convention.

Final step, we're going to assign the profile to the Entra group we just created.

Once finished, your profile should look like this:

Importing the hardware hash​

Now that we have those steps done, we're at the point where we need to import the hardware hash. We can't do that step without creating a VM first, so let's open Hyper-V and get started on that.

Creating the VM​

We can either do this through the GUI, or do it with PowerShell. I'm going to create it with PowerShell, and then I'll show you the configuration in Hyper-V

New-VM -Name "W11_25H2_Autopilot" -MemoryStartupBytes 4GB -BootDevice VHD -NewVHDPath "C:\VMs\W11_25H2_Autopilot\W11_25H2_Autopilot.vhdx" -Path "C:\VMs\W11_25H2_Autopilot\VMData" -NewVHDSizeBytes 80GB -Generation 2 -Switch "JoeLoveless.com" -

Add-VMDvdDrive -Path "C:\VMs\W11.iso" -VMName "W11_25H2_AutoPilot"

Enable-VMTPM -VMName "W11_25H2_AutoPilot"

• Before we power it up, remove the network adapter and the hard disk. We'll come back to these later, first we want to capture a checkpoint.
• Go into settings for the VM and remove those, also add a 2nd processor and enable TPM.
• Now we're ready to power up the VM.
• At the first OOBE screen, create a checkpoint

• Now, with the VM still up, add the network adapter back.
• Continue on through the setup process, allowing the computer to restart when necessary.

• Once at this screen, hit Shift+F10 and open a command prompt.
• Type powershell.exe

Set-ExecutionPolicy bypass

Install-Script get-windowsautopilotinfo

• Accept all the prompts, allowing the script to install.

Get-WindowsAutoPilotInfo.ps1 -online

• Some Microsoft Graph modules will install.

• Sign in with your Microsoft account (choose work or school)
• Accept all the prompts
• After the window closes, you should see the device being imported through the powershell window.
• Once finished, you should now see the serial number in the Entra group.

• Now that we are finished, let's revert to our checkpoint, and go through the full setup process.
  • Make sure you add the network adapter back!
• After a few minutes and clicking through, you should be at a sign-in screen.

Make sure you sign in with an account licensed for Intune

• Depending on your tenant setup, you might see some different options from here on out (MFA, WHFB, etc)
• Eventually, you will find your way to the Windows logon screen

Checking Microsoft Intune, we now have the VM loaded in properly.

Final Thoughts​

I'd like to know how others are testing Autopilot and Intune in their lab environments. Is anyone still using AD/ConfigMgr for testing, or going solely to Intune/Entra joined devices? Is there a better way to provision VMs?

We're now 10 days in to 2026. It's already been a little hectic in the world, and in Minnesota. My goal for this space is to not only have technical content, but share some personal things to a degree also. At work, we have to fill out goals for the following year, three actionable items we want to accomplish, and details on how we want to accomplish them. This is apart of our yearly review process. Items like self-evaluation, and setting goals are difficult things for me to do, especially when I know there is a limited training budget, limited time, and limited ways to accomplish those things. But, I try to think about where I want to go with my career, and put real thought into that. At the end of the year, I do something similar at home, writing down both personal and professional goals I want to achieve. A lot of times that page of paper gets lost, I forget about it, I don't do it, or I do other things instead. There is always a balance of professional and personal goals, and I certainly do not want the professional goals to outweigh the personal goals.

I figured this website is a perfect place to write down those things, along with more detail on how I want to accomplish them.

Overview of my Yearly Goals​

• Professional goals
  • Artificial Intelligence/Model Context Protocol
  • Python
  • KQL
• Personal goals
  • Eat healthier
  • Exercise
  • Read a minimum of 12 books
  • Visit state/national parks
    • 6 state parks
    • 2 national parks
  • Learn photography

Professional Goals​

Each year I try to think about what I am interested in, what's upcoming, and what could help my career. My goals for the year are to try to learn AI, Python, and KQL. While I have mostly been in the Endpoint space in my career, I do wonder what the world is like in other areas of technology. At home, I enjoy playing around with open-source technology, trying new things, and seeing what's out there. I've thought about going down the Cloud Computing route, or maybe even trying to switch over to Linux Administration. Either way, all the things I am hoping to learn professionally can only help me in my current role, and maybe open up new opportunities for me.

AI/MCP​

While I don't necessarily agree with everything about AI, I'd probably be a little silly to not try to learn all the capabilities, or even begin to learn. My plan at some point in the year is to go through Microsoft's MCP training, https://github.com/microsoft/mcp-for-beginners and see where that leads me.

Python​

I've mostly been in the PowerShell world my entire professional career, not really deviating. I figured if I ever do want to head down the Linux/Cloud Computing path, it's probably best to start learning Python. I previously purchased Python Crash Course, 2nd Edition, but never opened it up. One of those goals that fell by the wayside.

I've purchased Python Crash Course, 3rd Edition to help me learn Python. I'll also find some YouTube videos and maybe some other online material to help me along the way.

I find books/labs to be my best method for learning new things. Online videos, I tend to lose focus more easily, and have to keep going back to the content.

KQL​

I've messed around with KQL here and there, but nothing too extensive. A lot of copying and pasting of code from the community, and then tweaking to get things working how I want. I picked up The Definitive Guide to KQL, and plan on jumping into that more after I go through the Python content.

I've been playing more with Log Analytics Dashboards in Azure, and seeing how I can get data from Microsoft Intune into there and setting up different reports. Lately I've been building out a change tracking dashboard for our team.

Personal Goals​

The professional goals are a little bit more open ended for me. I try not to sink too much time on the weekends, after work into professional goals that require me to be away from my family. I put more into the personal goals, and these are all things I 100% want to achieve, or start working towards.

Eat Healthier/Exercise Routine​

Issue: I eat great in the summer, exercise in the summer. I live in Minnesota, where it's f'n cold a lot of the year.

My goal here is to try to eat healthier year round along with exercising regularly. I have back issues. Poor posture, shoulder pain, etc. Between my 7th and 8th grade year I grew a foot, which really messed with my back. No real injuries, just random issues here and there. I'm getting older, and need to take care of myself more.

I have been riding my bike a ton, but last year, I didn't get on it more than a handful of times. Living out in cornfield/gravel road country, it's hard to find the motivation to ride it, as the rides are straight, windy, and bumpy. I'm one of those people, when I do something, I like to do it all the way. It's why I don't gamble. My goal this year is to ride my bike more, but not that much more. I don't need to try for 100 miles, or probably even 50 miles. If I could do 10-20 miles 3 days a week, that would be fantastic for me. With that, I'd like to start lifting weights, or introduce a stretching routine. Stretching I have done in the past, but nothing consistent. Lifting weights is something I've never really done, as I don't see the joy in it. It might be one of those things (like cycling), where once I start doing that, I'll enjoy it more.

My other goal is to eat healthier. I love frozen pizza, candy, and cereal. I know it's not good for me. In the summertime, I eat a lot of veggies from my garden. Year round I eat a lot of fruit. I'd like to keep eating healthy year round, and prepare more meals.

Read a minimum of 12 books​

My goal last year was 15 books. I made it about 7 books in before I lost momentum, and then didn't read another book all year. I made it through those 7 books probably by March. Another one of those things of being 100% in on something, I was reading daily, but then got burnt out on a series I was reading. I read 5 of the books in the series, but didn't even bother finishing the last one (Red Rising Series, I loved it, need to finish the last one.). I cut my goal back by 3 this year, down to 12. So that would be one book a month. I should be able to achieve this.

My daughter reads about 12 books a month, so there is 0 reason I shouldn't be reading more.

Visit State/National Parks​

We didn't go on any national park trips last year, but I want to get back out to them this year. Rocky Mountains is my favorite park I've been to. I'd like to go back out there, and maybe visit another Colorado park. I love seeing all the wildlife. Last time in the Rockies, we saw moose, elk, and longhorn sheep. The moose we saw were standing on the trail we were walking on, very intimidating. No I did not try to hug one.

Every year I take each of my kids on a separate camping trip. I'm still working my way through the MNDNR Hiking Club, and hope to continue on with that. My goal is to visit 6 state parks (probably pretty low). The issue is, I've knocked off most of the parks in Southern MN within a 2 hour drive from me. So now I'll need to start traveling more.

I think I can do the above on some camping trips with each of the kids. Georgia seems to love the north more than Jay, where Jay like to play along the Mississippi and try to do fishing.

Learn Photography​

Georgia took a photography class in high school, which had me buying a used camera off Facebook Marketplace. She didn't really care for the class all that much, but learning photography has been an interest of mine since I was a teenager. One of those things I never bothered learning. I feel like as a millennial, I'm starting to detach from my phone more and more. I'd like to slow down, learn photography, go back to an MP3 player, and start retro gaming.

How will I learn photography? That part I haven't quite figured out yet, but it's on my to do list.

2025 is almost to a close. We recently went back to Indiana to visit our family and had a good time. The weather was unseasonably warm, especially compared to Minnesota standards. We visited the Indianapolis Zoo, as the kids have been wanting to see the chimps since we last lived there and they did a summer camp at the zoo. We saw some super active orangutans, and other animals that are normally not active. I love visiting zoos on winter days. No crowds, some animals being more active than they normally are. Christmas was nice, my cousin came up to visit who I don't see all that often and I was able to catch up a bit with my dad and brother. Family gatherings are usually a little awkward for me, I'm more laid back and reserved while my family when all together are pretty loud and talk over each other (even if there is only 11 of us).

My goal for this blog going into the new year is to obviously try to write more consistently. I started out good in 2025, but tapered off at the end (as I do with most things.) This year I am hoping to write at least once a month, with posts having more content to them. I'm not exactly sure what I will write about, probably more things with endpoint management, but honestly I like to just write about whatever I feel like. Which sums up this post perfectly.

Before Christmas, I had been working on my home setup more and wanted to write a post before the end of the year. Recently I bought a new UGreen 4-bay NAS (my first NAS) and have been learning about Docker a lot. Before I had the NAS, I was running Proxmox off of a Intel NUC, using LXC Containers or VMs. I also had a Dell Optiplex in use, but that was more for Active Directory/ConfigMgr/Intune testing. With my new NAS, and expanded storage/memory and ideas, I decided to split up how I was doing things.

You can find more of my home lab setup here but I've migrated a few containers off of Proxmox and into Docker (using Portainer as my management tool for Docker). In this post, I plan to go into :

• How I've used an unused domain name on Cloudflare to get proper certificates.
• Technitium to manage my DNS and ad blocking.
• Caddy to reverse proxy my sites and retrieve the proper certificates.
• Tailscale to access my network remotely
• And probably some other things I'm forgetting

The Before Times​

Okay, I've had my NAS since the fall. I've migrated the following from Proxmox to Docker, rebuilding services and trying to standardize. These were previously on a singular Proxmox container, running with an 8TB external hard drive plugged into the NUC and passing through to the container. Running off crappy internet, there was always some sort of issue or slow loading time. It got by good enough, but needed to be fixed.

• Plex
• Prowlarr
• Radarr
• Sonarr
• Lidarr
• Bazarr

I initially configured these all to run in host mode, with 192.x.x.x IP addresses. This was done mainly out of laziness, but once I discovered Portainer, I then went back and reconfigured these to all be in bridged networking (on separate networks). I was able to get them to communicate with each other by adding the following line in each compose file:

    extra_hosts:
      - ultron.local:192.168.4.125

So now that I have everything migrated over, I finally decided it was time to get certificates and domain names working correctly on this. Obviously, I'm the owner of joeloveless.com. I'm also the owner of some other variations of joeloveless and other random domain names my ADHD brain decides to randomly purchase. For this, I decided not to use joeloveless.com and instead use joeloveless.net for the setup. Why? I don't really have a great reason...separation of services, sure?

Let's play with Cloudflare!​

Have I used Cloudflare before, nope. Is it a lot, you betcha. Compared to Square Space, there are about a million more options. In my initial design/messing around, I was looking at DDNS providers (DuckDNS, NoIP, etc). I registered joeloveless.net with NoIP, but couldn't get that working properly, I then discovered certificate challenging with Let's Encrypt. I used these sites as my starting points:

• https://techdecode.online/decode/build-your-homelab-nginx/
• https://blog.jamesbrooks.net/posts/technitium-dns-server-with-tailscale/

Once you have an account, the first thing you need to do is configure the NS records properly. Easier when you buy the domain through Cloudflare, as that work is already done for you. If bringing in from another registrar, there is the transfer process. I followed Cloudflare's docs and was then ready for the next step.

API Key​

The next step is to generate an API key. Simple enough, make sure to copy it somewhere safe (not online) and actually do that. I can't tell you how many times I thought this was going to be a straightforward process, only to get stuck somewhere, not copy the API key somewhere I could reference it, starting over with a new try, and not having the API key. I think I generated about ten of them in total.

1. From the Cloudflare portal > Profile
2. Click API Tokens
3. Click Create Token
4. Choose Edit Zone DNS

• When using the template, it will pre-fill Edit zone for you. I went ahead and added Read also. Probably not needed, as you have to have Read to be able to Edit, but whatever.

• If you only have one domain, you could probably just choose All Zones, but I'm not sure what the future looks like, so I wanted to configure this only for joeloveless.net

Again, copy the API key somewhere safe as you'll need it later

For now, we are done in the Cloudflare portal, but will come back to this later.

Setting up a Reverse Proxy - Caddy for the Win​

Three things I'm not the greatest at.

1. Networking
2. Certificates
3. Linux

For a starting off point, I referenced this blog post to get started, but ended up modifying some of the steps:

• https://samedwardes.com/blog/2023-11-19-homelab-tls-with-caddy-and-cloudflare/
• https://akashrajpurohit.com/blog/setup-caddy-with-automatic-ssl-certificates-with-cloudflare/

Well, this is a home lab, here I am trying to learn. This is also a good place to document so the next dumb dumb (or me) can maybe stumble there way through it.

My goal initially was to run this all through Docker. I had issues getting anything to work properly, using NGINX ProxyManager, Caddy, or any other solution. What I landed on was:

• Proxmox LXC for Caddy
  • Reason for Caddy:
    • I was able to get it working while I struggled with the others.
  • Reason for Proxmox:
    • Proxmox Helper Scripts are dumb dumb proof. I also know my way around Proxmox just a little bit better than Docker at this point. And by a little bit, it means I've had it setup for longer. I'm no expert by any means.

Once the base setup is complete, ensure you have the Cloudflare DNS module installed also.

xcaddy build --with github.com/caddy-dns/cloudflare

Port Forwarding/IP Reservation​

Once your Caddy LXC is up and running, we'll want to go into it through the Web UI.

Getting your IP Address​

LXC containers are pretty bare bones. Turns out, ifconfig is not even an option.

root@caddy01:/# ifconfig
-bash: ifconfig: command not found

ip addr

An important step to do is to reserve the IP address for your Caddy container. You will also want to port forward 80/443. All of this is router dependent. I was able to do this through the Eero Android App, but your mileage may vary.

Cloudflare A Record​

Back to the Cloudflare portal, we will want to add an A record for our internal IP address.

More information on what this is doing exactly can be found on Cloudflare's documentation

Back to Caddy​

Running Caddy as a Service​

I followed this blog post to configure Caddy to run automatically or as a service.

• https://akashrajpurohit.com/blog/setup-caddy-with-automatic-ssl-certificates-with-cloudflare/

.env File​

Now that we have all that configured, we can hop back into the Caddy LXC and start configuring it.

cd /etc/caddy

/etc/caddy is where the config files for Caddy lives.

Let's start by making the .env file:

sudo nano .env

This is where the Cloudflare API token comes into play:

CF_API_TOKEN=REPLACE WITH YOUR API TOKEN

CTRL+X and CTRL+S will then save the file.

Caddyfile​

Now we will need to make the Caddyfile. Case sensitivity matters in Linux.

cd /etc/caddy

The Caddyfile is where all the configuration for our sites lives.

sudo nano Caddyfile

I struggled with this on the Docker side of things, mainly because Docker created a folder and was conflicting with my actual file.

Example configuration:

        email joe@joeloveless.net
}

# Public HTTPS subdomains
radarr.joeloveless.net {
        reverse_proxy 192.168.4.208:7878
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
}

sonarr.joeloveless.net {
        reverse_proxy 192.168.4.125:8989
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
}

lidarr.joeloveless.net {
        reverse_proxy 192.168.4.219:8686
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
}

Once configured, we will want to reload the service:

systemctl reload caddy.service

Going to lidarr.joeloveless.net takes me to a black screen through Firefox.

 curl -v lidarr.joeloveless.net
* Could not resolve host: lidarr.joeloveless.net
* shutting down connection #0
curl: (6) Could not resolve host: lidarr.joeloveless.net

We're almost there, we just need to configure Technitium properly.

Next up, Technitium​

To start, I live in the middle of nowhere Minnesota. My best and only internet provider is Starlink (booooo). I also have an Eero 6 router. Last year, I tried to configure Pi-hole again to block ads. What I found was my Pi-hole configuration (basically the default config) was balooning in size daily and recreating the hosts over and over again. In a limiited space Proxmox VM, this was no bueno, so I had to find alternatives.

This is where I found Technitium, and honestly, found it much better than Pi-hole. While the UI isn't as clean, the options provided are so much better than Pi-Hole. It's an Adblocker, DNS server, DHCP server, and I'm sure some other servers all rolled into one.

In a recent update, Technitium introduced a clustering option, and that is where the ideas started spinning. I already had Technitium on an LXC container using Proxmox Helper Scripts, but with clustering, I decided to go down the rabbit hole.

Docker Configuration​

Docker Compose

I'll be honest, I probably found the docker compose file somewhere, I'm just not sure where at this moment. I try to use the base Docker compose files when I can, and think this is what I used here. This is pretty straight forward, I try to use bridge mode for the networking whenever possible, but this is one that calls for the networking to be in host mode. Makes total sense to me and my Docker noobness.

Router Configuration​

You should now have two DNS servers. We'll want to copy the IP address from each, setup an IP reservation on your router, and set both of these as your primary and secondary DNS servers.

Optional: Cluster Configuration​

I now have two Technitium servers:

• dns01 - Proxmox LXC
• dns02 - Docker Container

Note: This part might be a tad out of order, as I already had a running Technitium server

I then logged into dns01 and followed Technitium's guide to setting up clustering

Setting up Zones​

Back to the issue at hand, we're now trying to hit the sites that we have in our Caddyfile by going to https://lidarr.joeloveless.net, https://sonarr.joeloveless.net, etc.

In Technitium:

1. Go to Zones > Add Zone
2. Create a new zone as a Forwarder zone

Adding Records​

Now we need to add a few records to our newly created zone:

First, create an @ record and a * record for Caddy:

Then, for each service, add an A record. The IP address should be that of the Caddy server, not of the service itself. This tripped me up initially.

We should now be able to go to a site and view the page correctly:

curl -v lidarr.joeloveless.net
* Host lidarr.joeloveless.net:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.4.229
*   Trying 192.168.4.229:80...
* Connected to lidarr.joeloveless.net (192.168.4.229) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: lidarr.joeloveless.net
> User-Agent: curl/8.15.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://lidarr.joeloveless.net/
< Server: Caddy
< Date: Fri, 26 Dec 2025 15:16:59 GMT
< Content-Length: 0
< 
* shutting down connection #0

We can also view the log files for Caddy by typing the following:

journalctl -u caddy.service --no-pager | less +G

Where are we at?​

A brief recap of what's been done so far.

• 1 domain name on Cloudflare
  • joeloveless.net
    • API token for DNS zones configured
    • A record for internal IP address
• 2 DNS Servers:
  • dns01 - Proxmox
  • dns02 - Docker
  • Servers are clustered together
  • 1 Forwarder zone (joeloveless.net)
    • @ and * records for 192.168.4.229 (caddy01)
    • A records for each service pointing to 192.168.4.229
• 1 Proxy Server:
  • caddy01 - Proxmox
    • Configured to run as a service
    • .env file storing the Cloudflare API token
    • Caddyfile containing the sites to be redirected
• Services
  • Lidarr, Sonarr, Radarr, whatever other service to configure.
  • Currently resolving internally to https://service.joeloveless.net with a HTTPS certificate.
  • Not resolving externally

Solving the remote issue - Enter Tailscale​

I'd like to be able to access my services remotely, without directly exposing ports to the Internet, setting up a full on VPN, or some other solution that I don't have too much time for. Enter Tailscale.

Tailscale allows you to install a client on devices/vms/whatever, and access those services from another Tailscale client. There are a multitude of options to configure, but I believe I landed on what works best for my use case.

More issues, installing Tailscale on Docker/UGreen NAS/Proxmox​

I ran into different issues trying to get all my clients talking correctly and accessible.

• Docker
  • All containers are being ran in bridged networking, getting them to communicate properly with the Tailscale docker container proved to be annoying.
• UGreen NAS
  • UGreen runs it's own Linux distro, I was running into errors trying to get it to install on the NAS. And that would only solve the problem for services running on the NAS directly had it worked.
• Proxmox
  • While I could have installed TailScale on all my Proxmox containers and VMs, I ran into different issues with different containers, and again, that would only solve the Proxmox side of things.

Adding a new Container to control it all​

After thinking about it for a bit, I landed on what I hope is a good decision. I decided rather than trying to get the Tailscale client installed on everything individually, I would instead spin up a 3rd Technitium DNS server (Proxmox LXC) and then install Tailscale on that host.

My thought process behind this:

• Gives me a third server, should one of my other DNS servers have issues. I could just update the DNS servers on my Eero router.
• Simple enough to setup. I don't need to worry about Docker configuration. I could just run the Proxmox Helper Script, then install the Tailscale client.
• I can cluster with the dns01 and dns02, so all the configuration will be there should I need to take any of the other two down. It's aware of all the zones, etc, so I can use this as a DNS server on the Tailscale side.

Configuring the new server - dns03​

This process was really straight forward.

Proxmox Helper Script - Technitium

Once this is finished, you then will run the Tailscale setup.

Proxmox Helper Script - Tailscale

From here, we are going to configure Tailscale to act as a subnet router, which requires some extra configuration.

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Now we can start Tailscale and advertise the routes:

tailscale up --advertise-routes=192.168.4.0/24 --advertise-exit-node

You should then get a message on your console with a URL to authenticate to, go ahead and do that portion (and setup the Tailscale account if you have not already done so)

Back in the LXC container:

tailscale set --accept-dns=false

TLDR: We're telling the host not to use Tailscale's DNS servers.

Now we are ready to configure some settings in the Tailscale portal, but first, do the following:

1. Capture the IP address and write it down

ip addr

2. Setup an IP reservation on your router for your new host so this will not change.

Tailscale Portal Configuration​

In the Tailscale portal, you should now see your host.

• Click on the three dots

• Ensure everything is checked correctly:

• Click Save, and then click on DNS in the top menu bar.
• Scroll down to Nameservers
• Enter your Public IP Address
  • To find your public IP on Linux:

curl -4 https://ipinfo.io/ip

• Click the three dots and toggle Use with exit node
• Remove any already configured Name Servers.
• Under search domains, add your domain name (see above screenshot)
• Disable MagicDNS.

Testing out the configuration​

So with this configuration, we should be able to do the following: [x] Resolve https://service.joeloveless.net internally. [x] Resolve https://service.joeloveless.net if connected via Tailscale. [x] Not be able to connect if on any other setup.

Internal​

My home wifi is cleverly named "LovelessWIFI"

ip addr

resolvectl

192.168.4.216 IP address, connected to dns01 (192.168.4.208) as the primary DNS server.

curl -v lidarr.joeloveless.net

Curl results are successful!

Host lidarr.joeloveless.net:80 was resolved.
IPv6: (none)
IPv4: 192.168.4.229
Trying 192.168.4.229:80...
Connected to lidarr.joeloveless.net (192.168.4.229) port 80
using HTTP/1.x
GET / HTTP/1.1
Host: lidarr.joeloveless.net
User-Agent: curl/8.15.0
Accept: */*

Request completely sent off
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://lidarr.joeloveless.net/
Server: Caddy
Date: Fri, 26 Dec 2025 19:06:19 GMT
Content-Length: 0
 
shutting down connection #0

I'm able to successfully connect to the service with valid certificates:

External​

I've now disconnected from my home wifi, configured and connected to my mobile hotspot.

10.142.141.137 IP address connected to 10.142.141.105 DNS server

Just to make sure there isn't anything lingering, let's flush DNS:

sudo resolvectl flush-caches

curl -v lidarr.joeloveless.net
* Could not resolve host: lidarr.joeloveless.net
* shutting down connection #0
curl: (6) Could not resolve host: lidarr.joeloveless.net

Failure = Success!

Tailscale​

So we've been able to connect internally, but not externally. Now let's see if Tailscale does it's job.

From a client that has Tailscale installed, make sure you configure the client to connect to the exit node:

sudo tailscale set --exit-node=dns03

Once configured, connect.

tailscale up

Let's make sure we're connected correctly:

tailscale status

curl -v lidarr.joeloveless.net
* Host lidarr.joeloveless.net:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.4.229
*   Trying 192.168.4.229:80...
* Connected to lidarr.joeloveless.net (192.168.4.229) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: lidarr.joeloveless.net
> User-Agent: curl/8.15.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://lidarr.joeloveless.net/
< Server: Caddy
< Date: Fri, 26 Dec 2025 19:23:04 GMT
< Content-Length: 0
< 
* shutting down connection #0

Curl is successful!

Success! I can now see all my previously bought CDs and tapes from my younger days.

Wrapping Up​

This was a pretty fun process to figure out. It seems to work surprisingly well so far, I was able to connect back to my home Starlink network via Tailscale and listen to my music on the way to Indiana in a lovely 9 hour car ride through Iowa and Illinois with hardly any issues. I hope everyone has a wonderful New Year's and a great 2026. Until next time, take care.

I've been slammed. I keep trying to set a schedule and stay organized, but with everything at work and home life, I've just not had the time or motivation to really write all that much. The kids are back in school, and that has been eating up most of my time. Work has been really busy the past few months, and hopefully with the holiday season upon us, things will start to slow down a little bit.

Since the last post, I've purchased a new UGreen NAS, which I am deeply enjoying. I'm going down the Docker route currently, and setting up my Plex server on that. I've transferred everything over, and am just working out the kinks. I think I'll do a post on the setup here shortly. Windows 10 End of Life happened, and my trusty Lenovo laptop (2018ish?) isn't spec'd for Windows 11. I decided to try something new, and put Fedora on it. Typically when I go the Linux route, I go for a Ubuntu flavor (Mint or Ubuntu), but I decided to try Fedora this time. I've never really had any issues with Linux, but I'm not a heavy user either. This laptop is basically a dedicated web browser for Discord, PocketCasts, and Spotify. For labbing and other tasks, I have my Dell Optiplex I got off eBay earlier in the year, and do most of my browsing of blogs and such on my Samsung tablet.

I didn't want to go too long without posting though, this post is about how I am trying to get some organization going in my life. One of my constant struggles is staying organized. I'm usually a little all over the place, and have tried different methods. Currently, I use the following:

• Field Notes
  • Personal notebook to write down things to do each day.
• Microsoft ToDo
  • I use this for work to try to flag e-mails, setup daily reminders of what I should actually be working on.
• Azure DevOps
  • Our team uses this as a sprint planner to try to stay organized. It's a little overkill for our team, but I enjoy it and it does help keep me on track.

It has come to my attention that I need to do more around the house. Fair enough, I'd agree with that 100%. The problem is, I'm a very checklist oriented person. Rather than ask for a list, which adds one more thing to my wife's plate, I've decided to try to tackle this with Home Assistant

Goals​

With this configuration, I'm looking to achieve the following:

• I want a dashboard that contains both weekly and monthly tasks that I can toggle on (finished) and off (todo)
• On Sunday, the weekly tasks should revert back to "off".
• On the first of the month, the monthly tasks should revert back to "off".

Creating Helpers​

• In Home Assistant, go to Settings > Devices & Services > Automations

• Click on Create Helper
• Create a Toggle helper
  • I put a prefix of Chores on each one of mine.
  • Do this for each chore you want to add.
• Once finished naming, I then went in and edited each entityid to look like this:

I added monthly or weekly to each chore that I added, I'll be using this later to help with organization. I also added tags to each one, to help me try to keep this in check.

Creating a Dashboard​

The next step is to create a dashboard, or if you want, add cards to your already created dashboard.

I've added my .yaml file on my GitHub

To get started, the dashboard is the following:

• Single pane dashboard
• Horizontal stack card
• Auto Entities HACS integration must be installed.
  • Repository

Because of how we named the entities with chores_weekly and chores_monthly we can now configure this in the yaml file:

We should now have a fully configured dashboard. When toggled to "on" (done), the toggle will go from ToDo to Finished.

Resetting the Dashboard with Automations​

The final thing I wanted to accomplish was to reset the chores either weekly or monthly. Why would I want to untoggle it myself? Craziness. Both of my automations are on my Github:

Chores - Reset Weekly Toggle Chores - Reset Monthly Toggle

• Go back into Settings > Automations & Scenes
• Click Create Automation
• Choose Create New Automation
• Click on the three dots in the top right corner and choose Edit in YAML
• Paste the code from my GitHub.

Automation Notes:​

• You'll want to change the entity_id list to match the chores you have added.
• The weekly dashboard is easier, as you can choose the day you want the toggles to reset weekly.
• The monthly dashboard, I chose to use a template. You could also create a calendar event if you have an integration for that to trigger off of.
  • If using the template route, I have mine resetting on the first of each month. Adjust to how you see fit.

Wrapping Up​

So that's it, now I have a dashboard where I can keep track of either my chores, or start tracking the chores for the kids also. We could also setup actionable reminders, but for now, I think this will do. The next step in the process is to actually stick with it and do the chores consistently. We'll see if that happens or not.

One of the challenges that we've found using Intune, is that there are policies that are in Group Policy (new settings even!), that then are not natively supported through the Settings Catalog in Microsoft Intune. Some of this seems to be random, and no clear reason to why this is the case. What is even more frustrating, is either the lack of clear documentation on what settings are actually available, and when they become available, or categories that have gone away from the ADMX backed method all together and write settings to different locations. In this post, I've written a couple of scripts to help admins with finding the settings that either exist or don't exist by exporting ADMX file data from a folder path, and then parsing that data through the Graph API.

The Issues​

Issue #1: Settings in Intune do not write to the same locations as Group Policy​

This is not consistent of course. A lot of settings do write to the same location as the group policy settings, but not all. Nothing is more frustrating that inconsistency. I'm sure there are more that fall under this category. But from what I've seen, the following write to different spots in the registry:

• Bitlocker
• Windows Firewall
• Windows LAPS
• Windows Hello for Business

Issue #2: GPP Preferences​

I won't get into that too much here, that's already been asked for several times with no movement.

• Printers
• Drive Mappings
• Registry Settings
• ODBC Settings
• Files
• Folders

Doesn't seem like that's going to happen anytime soon.

Issue #3: Random settings in Intune aren't available​

Why this happens, I have no idea. I see settings from Microsoft's Security Compliance Toolkit not available. I know there are settings from CIS' Windows 11 Enterprise Benchmark that aren't available. VSCode even recently introduced Group Policy ADMX templates, but did not introduce Intune Settings Catalog policies? It's a very frustrating scenario, and one that does not seem to have any rhyme or reason to it.

Helping find what's available and what's missing​

I've written two functions recently that I wanted to share with the community, and hope that someone will find it valuable. Both scripts are available on my GitHub or you can find them directly below:

Export-GPOADMXSettings Export-IntuneGPOSettings

Export-GPOADMXSettings​

While the Group Policy Analytics tool is available in Microsoft Intune, that is more for converting policies from Group Policy to Intune, or at least gathering the data on what is supported in already created group policies. What I am looking to do though, is export the settings from ADMX files themselves, and then find the corresponding Intune settings. Export-GPOADMXSettings helps do just that.

When running the script, you are presented with two paths to take.

• Option 1:
  • Enter a folder path that contains the ADMX files you want to analyze. This will then loop through all the ADMX files in the folder. Good for analyzing a few files, or a single file.
• Option 2:
  • Enter a domain name, this will then connect to the Sysvol and output the data.

If no parameter is specified, the function will default to loading a CSV file for a list of domains (our org has many). This will allow you to choose multiple domain names, with a Title header being the FQDN of the domain. From there, it's going to loop through each file and output the following data:

• Domain
  • Domain you connected to (if any)
• SettingName
  • Name of the group policy setting (not the displayName)
• Class
  • HKCU
  • HKLM
  • Both
• Key
  • Registry key path of the policy
• ValueName
  • Registry value name of the policy
• ValueType
  • I tried to categorize this how they are in Group Policy when selecting the options:
    • List
    • Enabled/Disabled List
    • Enabled List
    • Disabled List
    • Enabled/Disabled Value
    • Enabled Value
    • Disabled Value
    • TextBox
    • MultiText
    • Number
    • Dropdown
    • Checkbox
    • String
• ChildKey
  • If exists, the child registry key path.
• ChildValue
  • If exists, teh child registry value.
• Category
  • The associated category of the policy
• SupportedOn
  • What OS, AppVersion, etc that the setting has support for.
• ADMXFile
  • The name of the ADMX file processed.

Not all of this data is necessary for the next portion, but good to have if you are still working in a hybrid environment on a day to day basis.

Analyzing Common ADMX files​

I've put example outputs also on my GitHub page, but the direct links are here:

Microsoft OneDrive FSLogix Microsoft Edge Google Chrome Azure Virtual Desktop

Export-IntuneGPOSettings​

Note: Proper Graph API permissions are required for this. Feel free to checkout my Getting Started with Microsoft Graph post if unfamiliar with Graph.

Now that we have the Group Policy data, we are going to run the Eport-IntuneGPOSettings function. The main API endpoint that we will be working with on this is this path: https://graph.microsoft.com/beta/deviceManagement/configurationSettings

What we are doing with this is loading the previous csv file, and looping through the SettingName, and looking for matches.

#Load CSV
    Try { 
        $csv = Import-Csv -path $inputfilepath
    }
    Catch {
        Write-Error "An error occurred importing CSV file: $_"
    }

    #region Gather the settings
foreach ($gp in $csv){
    Try {
        $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationSettings?`$filter=Name eq '$($gp.settingName)'"
        $Settings = (Invoke-MGGraphRequest -Method Get -Uri $uri).value | Where-Object { $_.applicability.platform -match 'windows' }

    }
    Catch {
        Write-Error "Error gathering settings"
    }

I found that there were matching setting names in iOS, Android, and MacOS when initially running this, so I needed to narrow down the results a little bit more. The unforunate outcome that I found is that a setting name in Edge, can have the same setting name in Google Chrome. Rather than try to filter it down anymore, and have possible bad results, I've decided to leave this as is. Matching the Group Policy Category to the Intune Category was not an easy task.

Once finished, the following results will be returned:

• GroupPolicyName
  • SettingName from the last CSV file
• GroupPolicyKey
  • Registry key path from the last CSV file
• GroupPolicyValueName
  • Registry key value name from the last CSV file
• IntuneName
  • Name of the policy in Microsoft Intune
• IntuneKeywords
  • Any of the keywords from the configurationsettings api
• IntuneRootDefinitionID
• IntuneDisplayName
• IntuneHelpText
• IntuneOffsetURI
• IntuneMinimumSupportedVersion
• IntuneWindowsSkus
  • Supported Windows Skus for the policy.

So what is missing?​

From the CSV files I gave above, let's take a look at what settings are available in Group Policy, available in Microsoft Intune, and what are missing in Microsoft Intune.

Azure Virtual Desktop​

AVD Results

• 7 Group Policy settings
• 8 Microsoft Intune settings
  • AVD_SERVER_WATERMARKING is listed twice in Microsoft Intune
    • [Deprecated] Enable watermarking
    • Enable watermarking So this is good, we have 100% support for AVD settings in the admx template file. Google Chrome
• 691 Group Policy Settings

I ran into a lot of duplicates here with Microsoft Edge being in the mix, along with settings marked Deprecated. Instead, I'll filter by Blanks on the CSV file.

• 110 missing settings!

Not good! Within these missing settings, the ones that stick out to me the most are:

• AIModeSettings
• DevToolsGenAiSettings
• GeminiSettings
• PasswordDismissCompromisedAlertEnabled
• PasswordManagerPasskeysEnabled
• PasswordSharingEnabled
• PrivacySandboxAdMeasurementEnabled
• PrivacySandboxAdTopicsEnabled
• PrivacySandboxFingerprintingProtectionEnabled
• PrivacySandboxIpProtectionEnabled
• PrivacySandboxPromptEnabled
• PrivacySandboxSiteEnabledAdsEnabled

I would think/hope that there are orgs that would want a little bit more control over AI settings, password policies, and sandboxes in Intune that are purely cloud native? Microsoft Edge

• 835 Group Policy Settings

Similar to Google Chrome, we're going to see a lot of duplicates with the naming convention being the same.

• 20 missing settings. I do not understand how a Microsoft product doesn't have support in a Microsoft product. Below are the missing settings:

• FileOrDirectoryPickerWithoutGestureAllowedForOrigins

• LiveVideoTranslationEnabled

• EdgeWalletCheckoutEnabled

• EdgeWalletCheckoutEnabled_recommended

• ShowTabPreviewEnabled

• ShowTabPreviewEnabled_recommended

• Pol_EdgePreviewEnrollmentTypeMicrosoftEdge

• BlockTruncatedCookies

• ChannelSearchKind

• ReleaseChannels

• AccessControlAllowMethodsInCORSPreflightSpecConformant

• OriginKeyedProcessesEnabled_recommended

• RelaunchFastIfOutdated

• AccessControlAllowMethodsInCORSPreflightSpecConformant

• BlockTruncatedCookies

• WAMAuthBelowWin10RS3Enabled

• WebRtcPostQuantumKeyAgreement

• AllowBackForwardCacheForCacheControlNoStorePageEnabled

• ExtensionsPerformanceDetectorEnabled_recommended

• PrivateNetworkAccessRestrictionsEnabled FSLogix

• 116 Group Policy settings

• Only 1 missing setting, this one might make sense:

  • ProfilesRoamGroupPolicyState Microsoft OneDrive

• 65 Group Policy Settings

• 6 missing Intune settings

  • AddedFolderHardDeleteOnUnmount
  • DisableOfflineModeForExternalLibraries
  • DisableOfflineMode
  • AddedFolderUnmountOnPermissionsLoss
  • SharePointOnPremApplicationIdUri
  • SharePointOnPremOIDC

Wrapping It Up​

These are just some of the examples I ran into, with more being on the Windows setting side. Last time we refreshed our security baseline (pre-24H2), there were a lot more settings missing. I believe our count was around 180 settings not in the Settings Catalog. I'd be curious to know what the reasoning is behind settings not being available, especially settings that resolve CVE's.

Intro​

It's been a couple weeks since I've made a post. A lot has been happening at our house. I went camping a few weekends ago with my daughter at Mille Lacs State Park. It was our first time checking out the Brainerd, MN area. We did a lot of hiking, and passed our 50 mile mark for the MN State Park Hiking Club. We visited Mille Lacs State Park, Crow Wing State Park, Father Hennepin State Park, and Lake Maria State Park before heading back home. It was a great weekend camping with her and checking out the area.

I'm a sucker for stopping for a good road-side attraction. When the whole family is in the car, I don't get the chance to stop. But when by myself or the kids, yeah I'll stop at every place I can. I probably get that from my dad. He stopped at the Corn Palace in Mitchell, South Dakota once.

I bought this hammock for myself on camping trips. I don't think I've used it for more than 5 minutes, the kids love to chill and read books in it though. It also protects from falling acorns.

Since then, the kids have been back in school. She is starting 9th grade, while my son is starting 7th grade. They've homeschooled the last few years, and now are doing online schooling through Minnetonka. Most likely, they'll transition back to in-person school after this year, depending on if we move or not. Where we live now is pretty damn rural, and not a lot to offer for them. With the RTO fun, we might be on the move (again). We'll see what the future holds, any move probably wouldn't be until the spring.

I wanted to write a bit about using filters with Microsoft Intune, and provide the filters we use.

What are filters?​

Scott Duffey explains filters the best. My explanation is below.

• Entra has groups.
  • Dynamic or Static groups
    • Dynamic groups take a bit of time to process.
      • This can cause slowness on the processing of policy assignments on a device.
• Intune has "virtual groups". The recommendation is to use these whenever possible.
  • All Devices
  • All Users
• With filters, you can then narrow down the scope of your assignments.
  • This is done at the device check-in, and is faster than the processing of groups.

Recommendation: Use the built-in virtual groups + filters to be granular rather than relying on Dynamic or Static Groups.

Notes: There are limitations to filters, just like there are limitations to the groups. We have not been able to 100% use filters, nor 100% use groups. For the most part, our assignments look like this:

• Base policies will get assigned either All Devices or All Users (depending on the scope of the policy) with a filter assigned for the OS.
• If a group needs to be excluded, we then exclude the group, and assign to an exception profile that will include the same filter.
  • Note: I'll be writing a post on our policy design at a later date. We've gone through many iterations of this and I believe we've landed on something that works best.

Creating Filters​

An admin can create filters by going to Microsoft Intune, choosing Devices, and then going to Assignment Filters. Once there, you should see a create button with two options:

1. Managed Devices
2. Managed Apps

There are a variety of different rules that you can create, for the full list, see Microsoft Learn.

Common Windows Filters​

Now that you know what filters are, I want to provide you with the common Windows-based filters we use at our organization. Mostly, we use them for operating system criteria, AutoPilot group tags, and enrollment profiles. Obviously, there are other use cases.

Join Type Filters​

Windows 11 Filters​

Virtual Machine Filters​

Azure Virtual Desktop Filters​

Note: If you have Hyper-V based virtual machines that are not AVD hosts, these filters will need to be tweaked. Intune does not have a great way of detecting these with filters other than OS. Naming conventions is probably the easiest way to detect, but that is not fool proof either.

AutoPilot Filters​

Conclusion​

I'm curious if anyone has a better design for the AVD limitations that we've ran into for filters. We've also noticed that Microsoft really hasn't expanded much on filters past the initial set they released. Hopefully this is something that can be expanded on in the future. I'd love to see this tie into the Properties Catalog more, or to have more WMI based filtering similar to what Group Policy had.

Hi everyone. I recently ordered a couple of the somewhat recently released Home Assistant Voice Preview Edition's, for a very specific need for my Type 1 Diabetic wife. She currently uses Dexcom G6, and while helpful, does have a laundry list of complaints with the product.

• Sensors disconnecting randomly. She does not know of the disconnect until she pulls her phone out to look at the app to check her glucose level. This can be quite problematic for a diabetic, and pretty dangerous.
• Having to constantly pull her phone out to check. While quite an improvement over the technology of yesteryear, can be a distraction for people, especially if they have ADHD.

Like any technologist, I got thinking of how I could help solve this. Selfishly, like any technologist, when you get the chance to play with new devices, you have to take advantage of that opportunity.

I'm a big fan of Home Assistant. Unfortunately, getting the Wife Approval Factor in place has been a challenge. Mainly because she doesn't care for technology all that much, and finds my tinkering to be a waste of money. I'll show her I said!

Researching Options​

Digging for the Solution​

Before I started ordering these, I had to brainstorm a little bit, and think how I could accomplish what I think she wanted. I had possible ideas in mind.

At MMS 2025, Matt Zaske had a demo on the Awtrix 3. This was the inital rabbit hole I started to go down, an always on display showing what was needed.

• Diabetic Specific Solutions
  • Sugar Pixels
  • Glowcose
• DIY Solutions
  • Awtrix 3
    • Not a fan of the pixelated interface in my living room.
  • ESP32 Displays
    • Doable, but do I want to and will I do the tinkering? My fear is this would be a Raspberry Pi that I order and then never look at.
  • Tablets
    • Not sure I want to buy a tablet just for this purpose.

I liked the idea of the Glowcose, but I didn't like that it was limited to a single use case. I could have gone the more DIY route, but factoring in time and cost, I'm not sure how much I'd be on board. There is also the wife acceptance factor, I didn't want a frankenstein of wires throughout the house.

While in the WinAdmins discord, someone was talking about the Home Assistant Voice that they recently ordered. From there, my curiosity (or ADHD) sparked my interest and I got going down the rabbit hole.

Why I chose Home Assistant Voice​

Home Assistant Voice gave me multiple options. I didn't want to have a device that only solved one use case, I wanted to solve (or tinker) multiple solutions.

• ✅️Multiple use cases
  • This can be used for other automations, not just Dexcom. Win for me!
• ✅️Ability to ask questions
  • "Hey Jarvis, what's my wife's glucose level?
• ✅️Ability to glance over and get a sense of the status
  • Home Assistant Voice has a ring LED light you can program.
• ✅️Local and not cloud based.
  • I've had enough issues with Google Home getting worse and worse over the years, I didn't want to invest in a cloud based product.
• ✅️ BONUS: A programmable button that you can automate
  • 4 button combos are available:
    • Long Press
    • Double Press
    • Triple Press
    • Easter Egg Press

Unboxing and Setup​

Unboxing the Device​

My only complaint so far, the device did not come with something to power the device. I'm not a fan of manufacturers doing this. For some reason

• I found 8 extra USB-C cables in 8 different locations in either my office, garage, or bedroom. Why are they in the garage? Not sure. Surprisingly, none were in my junk drawer in the kitchen.
  • For those curious:
    • 5 USB-C to USB-C.
    • 3 USB-A to USB-C.
    • A gazillion Micro USB cables.

For some reason, I do not have 8 extra USB-C power bricks. For the time being, I took a brick off my Pixel dock to use.

Setting up the Device​

There are some requirements before setting up the device for this use case.

• Must already be running Home Assistant
• Must have the Dexcom Integration added

Once those parts are done, device setup was pretty straight forward. I followed the instructions given in the box, and in less than 5 minutes, I had my device setup. I found the process to be much smoother and straight forward than Google Home or Amazon Alexa. I didn't have a ton of screens to opt in and out of "features" that I don't want.

One last step to note, you then will need to expose the Dexcom entities to your Voice Assistants.

Automations​

Where do I begin?​

Back to the original use cases, I wanted to do the following:

• Give her the ability to glance over, get a sense of what her glucose level is.
  • LED Ring
• Be able to know if her glucose level is rapidly rising or falling.
  • LED Ring
• Be able to check her glucose level without pulling her phone out.
  • Button press
  • Talking to the device and getting a response

Before going further, you can find my automations on my GitHub. I've omitted the username, replace the USERNAME with your username. You will also need to tweak to match the entity ID of your voice assistant.

LED Ring Automation​

Thinking further through the use cases, I came up with the following:

• LED Light: Red
  • glucose level is below 80
  • glucose level is above 150
• LED Light: Blue
  • Status is Unavailable or Unknown. Dexcom, for whatever reason in the past 6 months or so has been awful about the sensor not communicating properly with the transmitter. There are plenty of Reddit threads on the issue, but Dexcom doesn't seem to be addressing the issue. I wanted to provide a light that would make her aware when the sensor was not communicating.
• LED Light: Green
  • I had trouble getting the light automation to go from the off state back to the on state. I didn't necessarily want a bright green light all the time. Instead what I did for this one was to set it to Green, but turn the brightness down to 0 percent. That way, if she does decide that she would like the light on, we can just increase the percentage.
• LED Light: Yellow
  • Dexcom provides trend statuses to tell the user how quickly their glucose level is either increasing or decreasing. With the light being yellow, means the trend is either:
    • Rising Quickly
    • Falling Quickly

This gives me 7 total branches in my automation.

• Option 1: glucose level is either above 150 AND below 80
• Option 2: glucose level is below 80
• Option 3: glucose level is above 150
• Option 4: glucose level is rising quickly
• Option 5: glucose level is falling quickly
• Option 6: glucose level is unknown
• Option 7: glucose level is unavailable

Note: I do not know what the difference is between Unknown and Unavailable, Home Assistant gave me both of those options. My theory is Unavailable is when it stops communicating completely, Unknown is when it just can't read the value yet

Button Press Automation​

The next automation to do was to configure the button press. This one was much simpler, as I'm just wanting the glucose level announced when doubling pressing the button.

I love how there are multiple button combinations you can do. My yaml file is just stripped down to the basics of this automation for simplicity.

Future enhancement idea: Let me Morse code to the other Home Assistant Voice through taps and have it translate to speech

Voice Announcement​

Of course, you can also talk to the device to get the current glucose level. I love the different options that are available on this thing!

Conclusion​

A little bit different of a post, but hopefully helpful to others out there! Let me know if you have any questions or comments, I've added a shiny new GitHub commenting system.

It's been a minute since my last post. Since then, we've still been rolling out Windows Hello for Business at work as a project, along with many other tasks, projects, etc. Employee review season is upon us, so I need to start figuring out what all I did in the last year, and what I want to achieve in the upcoming year. It's one of those exercises I'm not the biggest fan of, mainly because I feel that I have to talk about myself more than I ever want to.

On the home front, we've been gearing up for the new school year and the end of the summer. I'm hoping to take my daughter camping next weekend, maybe some place up north in Minnesota. Anything is up north for us in Minnesota, as we live in one of the bordering counties of Iowa. What I really mean by up north is past the Twin Cities. I've also started yet another project, trying to finish the drywall mudding in my office/loft above the garage. The previous owners finished the mudding about 40% of the way. I'm now three years into living at this house, and just attempting to get it done. By the time I do get it done, we'll probably/hopefully be moving again.

From the blog side of things, I did a little thinking and reading and decided to do away with the ChatGPT generated images. I found them interesting, yes, but also felt that it sort of cheapens everything that I am trying to do. If I am willing to put in the work and write, why should I just use AI generated images? Seems silly to me. Unfortunately, I am not a graphic artist. I tried that route when I was about 19 and found out quickly that it wasn't for me (aka I sucked at it) at Ivy Tech Community College. So I am playing around with the idea of templated cover images instead. Let me know what you think!

One of the asks in this project, as we've been rolling out Windows Hello to internal pilot testers, was gathering how many users/devices have actually enrolled in Windows Hello for Business on their device.

The Entra Way​

Before I dive into the detection script I have, I want to point out that this data is available in Microsoft Entra natively under the Authentication Methods blade. If you work in an enterprise environment, you might not have the proper roles to access that data. From what I have seen also, this data is more "user-centric" rather than device based. I was looking for the data from the device side of things.

Intune Detection Scripts​

At the same time I was trying to piece everything together, Johanne's dropped a timely blog post that gave me the starting point of my script. Check it out here. His blog goes into finding the last authentication method used.

Using that script, I now know that D6886603-9D2F-4EB2-B667-1971041FA96B = 'WHFB PIN, NGC Credential Provider'.

    HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}

You can find the script here. Now, create a new Detection Script in Microsoft Intune under Scripts and Remediations.

Detection Script Setup​

Once the data is gathered, under the Column settings, turn on the Pre-remediation detection output under Device Status, this will give you the output of how many users are enrolled.

Clicking on review, will then give you the total number of users enrolled. Of course, I would recommend exporting the data instead, and then provide that data to whoever would need it.

Hello there! It's been a couple weeks since my last post. I've been slammed at work with various projects (Azure Virtual Desktop, Windows Hello for Business, etc, etc), studying for the AZ-104 certification (trying to meet my employee goal before the end of the year), various things around the house (still working on flooring, painting, gardening), and the usual business of summer. My son got his first stripe in jiujitsu. He's been doing this since about February/March, trying to improve his mental health and getting more active. While he certainly has his days where he doesn't want to go, he's been pretty great about going two times a week. When he leaves class, he's always smiling and happy. Seeing his improvement both with his overall attitude and how he's improving with jiujitsu has been awesome to see. I'm pretty proud of him for sticking with it, and getting his first stripe!

I am trying to be more consistent with this, but struggling to either find the time, or just having general writer's block. I need to get out of the mindset of not writing something because someone else has already written it, and just try to write something from my perspective. One of the projects we are working on at work is Windows Hello for Business. While there are plenty of guides out there on how to implement, we've gotten some random questions regarding shared workstations, different models and their supported biometrics, and how we can have a successful rollout. The goal of this post is to provide some helpful scripts to start the journey for Windows Hello.

The solutions I am posting below are designed for Intune Remediation Scripts (using a Detection method), this can probably be achieved in other ways (Configuration Items/Baselines), but we're starting to shift away from that and focus on Intune more and more.

What types of biometrics are on our devices?​

With any large organization, you probably have multiple makes and models spanning multiple years (hopefully four or less years) and are wondering how users will be able to login with Windows Hello for Business?

Windows Hello supports three types of biometric sign in (Source: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/#biometric-sign-in)

• Facial Recognition
• Fingerprint
• Iris recognition
  • Note: I'm yet to see a device that can do this. I didn't even know it was a thing until writing this!

As we are starting to write knowledge base articles for our end users, we want to provide them with the correct instructions. If they don't have Facial and Fingerprint, we are most likely going to only provide instructions for one or the other.

Intune Detection Script - Biometrics

I've linked the script to detect the different biometrics above. This should be configured as a Detection Script in Microsoft Intune, with the default configurations. Once configured and the script has ran for enough time, you can add the Pre-remediation detection output column, and should see results similiar to below:

The output can also be exported to a CSV file for further review.

How many user profiles are on our devices?​

Another gotcha to look out for is how many user profiles are on your workstations. Windows Hello for Business supports a maximum of ten enrollments on a single device. This is Face or Fingerprint.

Source: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/faq#how-many-users-can-enroll-for-windows-hello-for-business-on-a-single-windows-device

The initial group we are exploring rolling this out for has a large footprint of shared devices, with multiple people rotating in and out daily and even hourly, so we either need to exclude those devices, or look at other options (Yubikey, etc)

Intune Detection Script - Profile Count

The detection script for this is also above, with the $excludedProfiles variable allowing you to exclude any profile you want. In my case, I'm excluding Administrator, Guest, Public, Default, and defaultuser0. I'm also looking for sign-ins for the last 90 days, hoping to capture accurate stats and not just devices with really stale profiles (that probably need to be remediated at some point)

If the script finds more than 10 profiles, this will return non-compliant. Less than 10 profiles, the script will return compliant.

This should also be ran as a Detection Script only in Microsoft Intune with the default configurations.

Greetings everyone. I wanted to share some of our functions that we've been using on our migration path from Group Policy to Microsoft Intune. This is a new one I just wrote this week, and think it will be very helpful. In our environment, we have multiple forests (27+). We've been migrating our standard workstation policies, but with 27 forests, we're discovering we still have a lot of cleanup to do.

While the push is for pure Entra join, many organizations aren't ready to commit to that (not for lack of trying to convince management otherwise), and will be in the hybrid scenario for quite a while. I'm always quite interested when I go to MMS and see the amount of hands that are either co-managed with Configuration Manager, or using Hybrid Join with Active Directory. Despite the marketing push from Microsoft, and all the new technology going into Azure/Entra/Intune, I don't think Active Directory or Configuration Manager are going anywhere anytime soon.

Search-GPOCategory​

I'm not going to go into a step by step breakdown of the script like I have done in previous posts. I'm not sure how much value there is in that, but will give a slight breakdown of it here. If you have any questions on it, please feel free to reach out to me and I can answer any questions on it. The function can be found on my GitHub

Summary​

[CmdletBinding()]
    Param(
        [Parameter(Mandatory = $False)]
        [array]$Domains,
        [Parameter(Mandatory = $True, HelpMessage = "Category to search for")]
        [array]$Category,
        [ValidateSet('All', 'Computer', 'User')]
        [string]$PolicyScope = 'All'
    )

    #region Parameter Logic
    if ($Domains.Count -eq 0) { $Domains = (Import-CSV -path $global:DomainsFile | Out-GridView -PassThru).Title }
    #endregion

• $Domains
  • As with most of our functions, we're asking for an array (or single) domain. If you do not list a domain, we'll attempt to load a CSV file containing our domains. If using a CSV title, the header should contain Title for the list of domains.
• $Category
  • This is the category (or multiple categories) that you're searching for. In my example, I will use "Microsoft Edge". This is looking for anything like Microsoft Edge. That means it will pull Windows Components\Microsoft Edge, Microsoft Edge\Downloads, Microsoft Edge, etc.
• $PolicyScope
  • This allows you to narrow it down a little bit more, so you're able to search the Computer or User side of the policy, or just search all of the policy.

Data Returned​

The following will be returned in the CSV file:

• DomainName
  • The domain the policy is on.
• PolicyName
  • The name of the GPO.
• PolicyStatus
  • 
• Category
  • The category found. Example: Windows Components/Microsoft Edge
• Area
  • Computer or User
• Setting Name
  • The name of the settings found
• Setting State
  • Enabled/Disabled/whichever else. Will not return Not Configured.
• Enabled OU Links
  • All the OU links for the GPO, separated by a ";"
• Security Filtering
  • The security filtering applied to the policy.

Background​

A little bit of history from the org I work in (and previous orgs up to Step 5). If you work in Education or Government, you're probably all too familiar with this process.

1. Centralization
   • Higher ups decide to centralize IT services.
   • All local teams to start using central enterprise IT. Education and Government just love doing this.
2. Policies managed by other teams
   • Here is this random structure of GPOs and OUs, have at it, not our problem anymore.
3. OU Migration (Workstations)
   • We then migrate all the workstations to an enterprise managed OU.
   • While trying not to break things too much, some legacy policies will move over also.
   • Process can take 3 months to 3 years (yay politics!)
4. OU Migration (Users)
   • Haven't even touched these yet, legacy policies and structure still hangs out there.
   • Why does User policies always fall on the Endpoint teams? A question I've been pondering
5. Let's use Intune!
   • We're well underway migrating our core policies that we have applied in all forests to Microsoft Intune.
   • We've reviewed policies, determining if they still make sense to move.
   • Inconsistencies from 1-4
     • User policies
       • Some previous teams did more configuration on the user side rather than workstation side. Can see duplicate settings on the user side vs. Intune policy, or settings doing the opposite of what we want
     • Legacy policies
       • Duplication
       • Frankstein policies
     • One off policies
       • Some department needed x setting and is filtered down a bit. Not a high priority, but would rather see all of that Category managed from a central spot and not a mixture.

The Next Step​

Now that we have our core policies moved into Intune, and being managed under the great central pane of glass, we're looking into stopping the inconsistencies, and really level setting the policies. My goal is to look at our core policies, and break these out by category. We then have some functions in our module that can help with this process. A previous one we get great use out of is Search-GPOString, this allows us to search GPO objects in all our forests by a query and get the GPO objects back, along with their status, security filtering, and linked OUs. This is great for finding single settings.

This week, I came up with the idea to search by category. By category, I mean I am looking specifically for this:

From there, we are then returning the settings associated with that category, along with details on the policy.

What do we do with that data?​

From there, we can really breakdown our policy structure even more, and make more determinations.

• Do these policies make sense in 2025?
• Are these policies better (more secure) than what we currently have in place?
• Do we want to simplify and do away with these policies?
  • What will be the impact if we do that?

Piloting​

No matter what decision that is made, we're then going to pilot this out. Daniel Ratliff had a great blog post Managing Endpoint Policies for the Enterprise, that serves as a great reminder. For us, we like to use the randomized process, but as we develop pilot groups more, might revisit the idea. See here for details on our randomization process if interested.

While we all want to move a little quicker, and get done with migrating policies, we will never truly be done. There will always be some other policy to create, tweak, or get rid of. There is no finish line to this, so take your time and try to fly under the radar as much as possible when doing policy migrations.

Conclusion​

I'll be publishing some more Group Policy related scripts to help people on their migration from GPO to Intune. I'm curious to know what other people are doing in their environments, whether doing a complete overhaul, migrating to new OUs through attrition (new builds), a mixture, or totally scrapping AD and going Entra only.

Good morning everyone! I've been struggling lately with things to write, and also struggling with making time to write. I feel like this summer we've been slammed at work with different projects, I've been slammed at home with different projects, and have generally just been a little tired. I'm attempting to launch a consulting company, so I've been working through trying to get that off the ground (design a website first), so that has been eating into my time. While weed eating our wooded trail yesterday, I was thinking of different posts to make. One that I've been wanting to write about is my thoughts on Microsoft Graph and all the pain points I've experienced myself as a general noobie to Graph. I've been using Microsoft Graph the last three years in different capacities. This would be either through the SDK, native API calls, or using Invoke-MgGraphRequest.

Last week, we had an incident pop-up where our Apple VPP apps had their assignments removed when we put in the new VPP cert. So, I wrote a Powershell script that called the Graph API to retrieve the application assignments after we went through and re-assigned everything. Unfortunately, I did not have this data beforehand. But, for this post, I'm going to use the script I developed as an example for configuration. The main script can be found here Export-IntuneApplicationAssignments

Common Terms and Painpoints​

Before starting, I want to list out some common terms and some common pain points I've ran into. A lot of this will be dependent on what your environment looks like and what you are doing with Microsoft Graph.

Common Terms​

To use the Microsoft Graph API, you need access. Typically, Microsoft Graph is not going to be wide open for you to just connect to and run commands against. Thinking to the Active Directory world, you would have permissions delegated to your privileged account (hopefully) and then you would perform actions. Instead, in the Azure world, you will grant permissions to an App Registration. Microsoft has provided all the permissions to configure, allowing you to get very granular and use the principal of least privilege.

Permissions Consent Overview

• Types of Access
  • Delegated
    • Connecting to a resource on behalf of the signed in user.
    • Used for running scripts on demand with no automation tied to it.
    • I use this most commonly in my day to day work over Application permissions.
  • Application
    • Connecting to a resource as itself.
    • User is not needed to authenticate
    • I use this with automation (Azure Runbooks, Github Actions, etc)

Going back to the Active Directory scenario. With Delegated, I'd equate that to me running a script with my privileged account whenever necessary. Where if I then wanted any sort of automation (Scheduled Task maybe?), I'd probably have a Service Account with the permissions needed to then run the task.

• Pagination
  • Because you're now working in this huge environment, that has multiple customers, we need to be more efficient. On some of the data requests, Microsoft "pages" the data. Meaning, you will only get back chunks of results at a time. If wanting to return ALL the data (because who doesn't), you then have to use pagination to keep going through the results.

Paging Microsoft Graph data in your app Practical Graph: All About Pagination and Fetching Data How To Handle Microsoft Graph Paging in PowerShell

• Beta vs. v1.0
  • While Beta is just that, Beta. I've yet to really see anything go from Beta to 1.0, where much of the functionality needed is in Beta. For that reason, I tend to default to Beta, and only fall back to v1.0 if I absolutely have to.

Getting Started - App Registration​

1. Open Azure (portal.azure.com), and go to App Registrations
2. Click New Registration
3. Fill in the details, making note of the Redirect URI
   • This will prompt the user for authentication using the Microsoft authentication.

4. Once created, click on API Permissions.
   • By default, the application will have User.Read permissions

5. Click Add a Permission
6. Click Microsoft Graph
7. Choose Permissions

• Application
• Delegated (I'm choosing Delegated in this walk through)

8. Scroll down to DeviceManagementApps, then choose DeviceManagementApps.Read.All
   • We're trying to use the principle of least privilege here, so we're only choosing Read permissions.
9. Now that the permission is added, we still aren't done. Somebody has to sign off on the permissions being added, that's why the Status is "Not granted"

1. We'll need someone with the proper permissions to Grant Admin Consent.
   • Grant tenant-wide admin consent to an application
2. Thankfully, this is my Lab tenant, and I have Global Admin.

3. One last step, go to Authentication, and add http://localhost into the Mobile and Desktop applications Redirect URIs section

We've now configured our Delegated App Registration that will allow us to connect, we can then restrict who can access the application.

1. Back in the Azure portal, go to Enterprise Applications.
2. Find your newly created application and go to Users and Groups.
3. Add any user who should have permissions here.

So with this configuration we have:

User (with permissions) ---------> Connects to Application ---------> Application has permissions ------------> Application makes requests to Microsoft Graph

That's fantastic, but how do I know what permissions I need?​

Knowing what permissions you need can be challenging. Fortunately, there are many tools provided to do such a job. I'm not going to go into great detail about how to use each one of them, those can be other posts.

Graph Explorer Graph X-Ray PostMan Graph API Documentation

Above are either tools from Microsoft or third party tools to get started. Personally, I like to just look at the network calls being made in Microsoft Edge to find out what the calls are, and then I can typically find the right permissions based off that. The Graph API documentation is also a great starting place, you just have to know how to navigate and know what you are looking for.

So in this example scenario, we're wanting to get application assignments.

1. Go to Microsoft Intune
2. Click Apps
3. Using Edge, hit F12 and open Developer Tools.
4. Make sure the Network tab is selected.
5. In this case (probably a bad example to be honest) I'm going to create a new app with the Network tab open
6. Make the application available to All Users

You should then start seeing a bunch of calls being made

Most of this looks like garbage to me, anything with .js is worthless to me.

But, I then see this mobileapps. This is my starting point for configuring the permissions (and when I go to write my PowerShell script)

https://graph.microsoft.com/beta/**deviceAppManagement**/mobileApps/

• DeviceAppManagement (Intune) = DeviceManagementApps (Azure)
  • Microsoft is never consistent with naming!

Authentication​

Okay, now we have the App Registration configured, how do we connect to it?

We have two scenarios for connection, native Rest API connection(Get-MSALToken), or connecting with Microsoft Graph.

Invoke-RestMethod/Get-MSALToken​

I find this to be the most difficult to connect to, but let's give it a shot and see if I can explain it and figure it out myself.

1. Install Get-MSALToken

Install-Module -Name MSAL.PS -Scope CurrentUser

Now that we have the module installed, we need to configure our parameters.

On the Overview page of your App Registration, you'll find the details needed. You can use either your domain name or actual tenant ID for the below portion. I'm using my tenant domain name.

$token = Get-MsalToken -clientid "CLIENTIDHERE" -tenantid "joeloveless.com" -Interactive
$header = @{'Authorization' = $token.createauthorizationHeader();'ConsistencyLevel' = 'eventual'}

In this example (Delegated), I am looking to connect interactively. If I wanted this in an automated scenario, I'd be looking at using Client Secrets, Federation, or Certificates to pass the authentication.

Connect-MgGraph​

The next option (and simpler IMO) is to connect using Connect-MGGraph

Connect-MgGraph

We'll need the Microsoft.Graph.Authentication module.

Install-Module -Name Microsoft.graph.authentication -Scope CurrentUser

From here, we just need to run a one liner to then connect:

connect-MgGraph -ClientId "ClientIDHere" -TenantId "joeloveless.com"

Neither are overly difficult to configure, but Connect-MgGraph is just a tad simpler. Personally, I go with Connect-MgGraph, based off this paragraph from the PowerShell Gallery

The MSAL.PS PowerShell module wraps MSAL.NET functionality into PowerShell-friendly cmdlets and is not supported by Microsoft. Microsoft support does not extend beyond the underlying MSAL.NET library. For any inquiries regarding the PowerShell module itself, you may contact the author on GitHub or PowerShell Gallery.

Microsoft doesn't officially support MSAL, where they do officially support the Graph SDK.

Option 1: Scripting natively with Invoke-RestMethod​

Full Script Here

In this scenario, we've already connected using the Invoke-RestMethod/Get-MSALToken method from above, connecting to our delegated application and are ready to start writing PowerShell scripts.

I've added the full script here, but I want to highlight the key differences in each script. The guts of the script are the same, just a little different for each one.

# Check Graph connection
    if ($null -eq ($header)) {
        Write-Error "Authentication needed. Please call connect to Microsoft Graph."
        return
    }

Here we are checking for the $header not to be null, as that is the variable we're using from above to store the authorization.

#region Get application details
    $uri = "https://graph.microsoft.com/$graphApiVersion/deviceAppManagement/mobileApps?`$expand=assignments"
    $resultCheck = @()
    do {
        $response = Invoke-RestMethod -Uri $Uri -Method Get -Headers $Header
        $resultCheck += $response.value
        $uri = $response.'@odata.nextLink'
    } while ($uri)
    #endregion

The key difference here is the $response variable. We need an extra parameter, Headers to achieve the desired results. The above code is what I use for the pagination scenario from the Common Terms section. I'm looking for repeatable code, and this is what I have found to work perfectly, without over complicating things.

"#microsoft.graph.groupAssignmentTarget" {
                        try {
                            $uri = "https://graph.microsoft.com/$graphApiVersion/groups/$($assignment.target.groupid)"
                            $group = Invoke-RestMethod -Uri $Uri -Method Get -Headers $Header
                        }
                        catch {
                            Write-Error "Unable to get group details: $_"

Similar to above

#region Filter Details
                $filterId = $assignment.target.deviceAndAppManagementAssignmentFilterId
                $filterType = $assignment.target.deviceAndAppManagementAssignmentFilterType
                if ($filterId -and $filterId.Length -eq 36) {
                    try {
                        $uri = "https://graph.microsoft.com/$graphApiVersion/devicemanagement/assignmentFilters/$filterId"
                        $filterResponse = Invoke-RestMethod -Uri $Uri -Method Get -Headers $Header
                        $filterName = $filterResponse.displayName
                    }
                    catch {
                        Write-Warning "Failed to get filter details for ID $filterId"
                    }
                }
                #endregion

Again, pointing out the difference with the Headers variable.

#Option 2: Using MgGraph

Full Script Here

In this scenario, we've connected to Graph using Connect-MgGraph, using my preferred way of connecting.

# Check Graph connection
    if ($null -eq (Get-MgContext)) {
        Write-Error "Authentication needed. Please call connect to Microsoft Graph."
        return
    }

This is using Get-MgContext to do the connection check, running this will give you more information on how you are connected, what scopes you have, etc.

#region Get application details
    $uri = "https://graph.microsoft.com/$graphApiVersion/deviceAppManagement/mobileApps?`$expand=assignments"
    $resultCheck = @()
    do {
        $response = Invoke-MgGraphRequest -Method GET -Uri $uri
        $resultCheck += $response.value
        $uri = $response.'@odata.nextLink'
    } while ($uri)
    #endregion

One less parameter to worry about

"#microsoft.graph.groupAssignmentTarget" {
                        try {
                            $uri = "https://graph.microsoft.com/$graphApiVersion/groups/$($assignment.target.groupid)"
                            $group = Invoke-MgGraphRequest -Uri $uri -Method GET
                        }
                        catch {
                            Write-Error "Unable to get group details: $_"

if ($filterId -and $filterId.Length -eq 36) {
                    try {
                        $uri = "https://graph.microsoft.com/$graphApiVersion/devicemanagement/assignmentFilters/$filterId"
                        $filterResponse = Invoke-MgGraphRequest -Uri $uri -Method GET
                        $filterName = $filterResponse.displayName
                    }
                    catch {
                        Write-Warning "Failed to get filter details for ID $filterId"
                    }
                }

Option 3: Using Graph PowerShell Cmdlets​

Full Script Here

We had two options to connect to Graph, but now we have three options to run commands against Graph? What the hell?

Microsoft attempted to make this easier for us. In doing so, what they really did was create confusion. Many of the cmdlets are half baked, have really poor documentation, sometimes work, most of the time don't work, and are just down right confusing. I've struggled finding the right commands to use, and when I do find the right commands to use, nothing really seems to work just the way I expect it to. With the first two options, the code is very repeatable, where with this option, it takes a minute to find the right commands, then you have to hop on one foot and hope they work correctly.

Get started with the Microsoft Graph PowerShell SDK

Find-MgGraphCommand​

Where with the first two options, I could go to the API documentation and just find the URLs, I have to do a little bit more digging to find the right commands needed.

1. Navigate to the Graph API documentation, in this case, we're looking for Corporate Management > App Management, which in turn points us to the URL of

/deviceAppManagement/mobileApps

2. Now that we have the URL, we can run Find-MgGraphCommand

Find-MgGraphCommand -Uri '/deviceAppManagement/mobileapps'

This will then return us the available cmdlets to use.

3. Going down even further, we can run the following:

Find-MgGraphCommand -Command Get-MgbetaDeviceAppManagementMobileApp

Building the script​

First thing I noticed, I have another module to install.

So to build this script, I'll need the following:

• Microsoft.Graph.Authentication
• Microsoft.Graph.Beta.Devices.CorporateManagement

This is just for this example script. If I had a script that was peicing together multiple parts of Intune, I'd have a whole lot of dependencies and hoping there aren't issues at any point. Where with the previous two, I'm relying on exactly one module to install.

#region Get application details
    $resultCheck = @()
    do {
        $response = Get-MgBetaDeviceAppManagementMobileApp -All -ExpandProperty Assignments 
        $resultCheck += $response
        $uri = $response.'@odata.nextLink'
    } while ($uri)
    #endregion

This is a little bit less code, but did I really save any time by having to research this and peice it all together?

Now I'm down to the Groups portion of the script.

"#microsoft.graph.groupAssignmentTarget" {
                        try {
                            $uri = "https://graph.microsoft.com/$graphApiVersion/groups/$($assignment.target.groupid)"
                            $group = Invoke-MgGraphRequest -Uri $uri -Method GET
                        }
                        catch {
                            Write-Error "Unable to get group details: $_"
                        }

Previously I had this in Option 2. Now I need to find the commands again.

Find-MgGraphCommand -Uri '/groups'

Find-MgGraphCommand -Command get-mggroup

Now I have another module to install, the Groups module. If you're following along, now I need three modules:

• Microsoft.Graph.Authentication
• Microsoft.Graph.Beta.Devices.CorporateManagement
• Microsoft.Graph.Beta.Groups

if ($filterId -and $filterId.Length -eq 36) {
                    try {
                        $filterresponse = Get-MgBetaDeviceManagementAssignmentFilter -DeviceAndAppManagementAssignmentFilterId $filterId
                        $filterName = $filterResponse.displayName
                    }
                    catch {
                        Write-Warning "Failed to get filter details for ID $filterId"
                    }
                }

This one didn't take another module to be installed.

Comparing the Data​

Now that I have the script built, lets compare the results:

Option 1 and 2 CSV Results:

Cool! Look at all that data it returned. This is my test lab, so I'm expecting some blank results as I don't have a VPP account actually setup.

Where's Platform? This is just an example of the inconsistency that I talked about earlier. For whatever reason, Platform results aren't returned in this example. This was a totally random script I built last week for work and one I thought would be a good use case to show. I literally had no idea that the data would be inconsistent until I built this while writing the article. What are the odds?

Conclusion​

Hopefully this was a good explainer on the different options for getting started with Microsoft Graph. Going forward, I hope this explained the differences, and why I prefer using Invoke-MgGraphRequest over the others.

In my next post, I want to look at using some automation and create an Application App Registration vs. Delegated, and see how we can pump this data elsewhere (PowerBI) and take a look at that. Have a great day

I don't have a whole lot to write about this week, summer is in full swing, which means I'm pretty swamped with the kids and doing different activities. Right now I'm studying (again) for the AZ-104 test, blogging, and being slammed at work. My motivation hasn't fully been there since the RTO announcement, but the tech motivation is always there. Just a lot of anxiousness on what the future holds, which the HR department seems to change minute by minute while the agency has promoted telework as the future for the past five years.

But, I wanted to post something a little bit different. This post is a rundown of the tech I use both at home and at work.

Home Tech​

Hardware​

• Intel Nuc (8th generation?)
  • I use this running ProxMox to run my Home Assistant and Plex VMs. Probably a little overkill for the use case. My Plex setup is as basic as you can get, with an 8 TB external HD plugged into it.
• Dell Optiplex 7070 SFF
  • I bought this used off eBay. I was supposed to get a Mini Tower, but the seller sent me a SFF. My dream of beefing it up with multiple hard drives died there. Instead, PayPal refunded me and I have a free SFF PC. I use this for my home lab stuff, blogging, etc.
• Lenovo Thinkpad Yoga 370
  • I recently discovered how much I love the tablet mode, never used that before. I've been using this for note taking for AZ-104 using OneNote. Makes me want to buy an actual tablet. Mainly I have this on my desk with Discord open during the day, and maybe random podcasts playing.
• Google Pixel 6
  • My phone, I recently put GrapheneOS on this instead of stock Android. I don't have any complaints about it, I don't see random news articles anymore, and I've basically de-googled at this point which is nice. The ability to still download apps from the Play Store is there, with everything being sandboxed.
• Eero Mesh
  • I use the Eero Mesh for my wifi in my office, basement, and main floors. Would I buy it again? Probably not, I'm not a fan of how locked down some of it is. Fiber is supposed to come to my house in the fall, so I might look at upgrading then to something else. Maybe I'll go the Ubiquiti route.
• Starlink
  • No options really, either Starlink or some crappy DSL provider. I'm looking forward to the fiber option and can't wait to cancel. It does well for the most part, heavy rain interferes with it (not really snow though). But it's $120 bucks a month, and Elmo seems like a douche.
• PS5
  • I have a PS5 for gaming, mainly for my kids, but I'm a big kid at heart. Since getting it last year, I've played the God of War games, and now am hooked on Call of Duty. I'll probably get a new game here soon. Gamertag: Pacers31Colts18.
• Zwift Hub
  • I bought this for indoor cycling in the winter. Turns out indoor cycling is super f'n boring. I don't use it all that much.
• Google Chromecast TV
  • I use Google TVs for streaming purposes. I wish the storage was a little bit bigger, but I also don't run a lot of apps so it isn't too bad. No complaints.
• Google Hubs
  • I have two of these, honestly, I barely use them anymore. I find them to get dumber and dumber as the days go on and have basically given up trying.

Software​

• Plex
  • I use Plex to stream my home media. My kids (14 and 12) have a specific niche of Star Wars, Marvel, Avatar, Monsterverse, Jurassic Park, any anything else that involves giant monsters or cool superheroes. That is mainly what I watch too.
• Sonarr
  • Sonarr for grabbing TV shows I already own.
• Radarr
  • Radarr for grabbing movies I already own.
• Bazarr
  • Bazarr for grabbing subtitles for said movies and tv shows I already own.
• NZBGet
  • Sonarr/Radarr tell NZBGet what to grab.
• Prowlarr
  • Prowlarr sync's everything together in one spot so I don't have to.
• Home Assistant
  • Home Assistant is the home automation platform. My setup is super basic. I have some smart bulbs, smart switches, the hubs, and a propane tank sensor. I've always dreamed of having more automation, but I don't use it all that much. I also use it for watching HD space on my external HD for Plex.
• Hyper-V
  • I use Hyper-V to run my home lab, off the Dell Optiplex 7070. This is connected to my Azure tenant that I use for testing stuff out.
• OneNote
  • OneNote for random note taking
• BitWarden
  • BitWarden is my password vault. I recommend it, $10 bucks a year. Does have random autofill issues on Android it seems.
• PipePipe
  • Open source alternative to Youtube. Fork of NewPipe. I use this over YouTube in my attempt to DeGoogle as much as possible.
• VSCode
  • I use VSCode to either write scripts, or write blog posts in Markdown format.
• GitHub
  • My site is tied to GitHub pages with branching and source control.
• Squarespace
  • I purchased my domain name on Google Domains initially, then that got sold off to Squarespace. Seems simple enough.
• Hugo
  • The platform I use for blogging. I mainly followed the guide from Mike Robbins to get started.

Work Tech​

Hardware​

• Dell Latitude 5440
  • Run of the mill Dell Latitude laptop running a 13th gen i5 with 32 GB ram.
• Some Herman Miller chair
  • I have back problems, decent enough chair, I'm also not going to go out and buy one, so work let me use this at home.
• Custom made standing desk
  • I had some leftover butcher block, and ordered a standing desk kit off Amazon and put the butcher block onto it. My goal was to automate it into Home Assistant, but I never got there. One day.
• 3 monitors
  • 1 32 inch monitor
  • 2 27 inch monitors
    • 1 vertical
    • 1 horizontal
• Blue Yeti Microphone
  • Given to me by Fabian Rodriguez at TCSMUG.
• MMS Playing Cards
  • When in meetings I need something to keep me occupied while talking. So I shuffle a deck of playing cards I got at MMS 2024. Other random toys I have are a koosh ball and a fidget spinner.

Software​

• Microsoft Office
  • Typical Microsoft shop, running Office and Teams.
• Azure Virtual Desktop
  • AVD multi-session host for nearly all my administrative work.
• ADUC/GPMC (Active Directory and Group Policy)
  • ADUC and GPMC inside the AVD host to be able to manage all the domains we manage.
• Configuration Manager
  • Where and how I really got going in tech, still love it to this day and will die on the ConfigMgr hill.
• VSCode
  • I use VSCode extensively for writing PowerShell scripts.
• GitHub Enterprise
  • Where our team stores all our repos.
• VSCode Extensions
  • I run a pretty vanilla setup, we migrated from Horizon Virtual Desktops to AVD, and I'm trying not to run as many extensions this time around.
    • PowerShell
      • All my coding is done in PowerShell.
    • Prettier - Code Formatter
      • I like how this will format the file for me.
    • GitHub Actions
      • For managing everything we have tied to GitHub Actions.
    • GitHub Pull Requests
      • So much easier than knowing the proper Git syntax and workflow. 10/10.
    • Azure Automation
      • Used for managing the runbooks in Azure, with proper source control to GitHub tied to it.

It's been a few weeks now since I've made a post. The nice weather has kept me busy with yard work, taking my son camping, working on my garden, and trying to keep the weeds at bay.

Last weekend I took my son camping at Beaver Creek Valley State Park in Minnesota and had a blast with him. Beaver Creek is a fairly small campground, with an odd one road layout. For me, that's awesome. I don't want to be around too many people, and the park itself was amazing. The Hiking Club Trail was 6.2 miles long, and split up into two legs. The first leg, was really hilly, and I ended up slipping twice and landing on my butt on the trek down. The second leg, was fairly flat, but in this awesome valley with really great scenery. We did the first leg on Friday afternoon after arriving to our site, and then did the second leg in the morning. From there we did some fishing in Brownsville along the Mississippi River. I'm now 40 years old, and am yet to catch a fish that doesn't involve deep sea fishing, or trout fishing. Granted, I'm not a fisherman, and I don't do it all that often, but you would think I'd be able to catch one once? Nope, not me. Jay has though, which really doesn't make me feel any better, but good for him. Saturday afternoon we did some more hiking at Great River Bluffs State Park, which was around 2 miles on the hike. We're now over 40 miles on the hiking club trails, well on our way to getting our 50 mile badge.

My garden is also coming along. Last year, I didn't plant anything. My first year here, it was trying to get it all ready, but weeds took over the area and won the battle. Weeds took over the area even more last year. My plan this year was to go back to raised beds. A trip to Menards put that all in shock when I found the price of lumber for a 1x8x8 was around 15 dollars for the crappiest piece of pine you could buy. I thought about giving up again, but then realized the barn we have had a bunch of old lumber still in it. I've now built five raised beds using that lumber. To date, I've planted:

• Bed 1:
  • Green Beans
• Bed 2:
  • Tomatoes
  • Marigolds
• Bed 3
  • Peppers
  • Lettuce
• Bed 4
  • Corn
• Bed 5
  • Need more compost, might plant pumpkins.

Finally, my Pacers are in the NBA Finals. It's been 25 years since the last trip, which put me in I think my freshman year of high school. My brother was going into his senior year. We have good memories of sitting in the parking lot across the street from the Fieldhouse in Indianapolis and watching the Finals then. His kids are now going into their senior year of high school, which makes us feel really f'n old.

Since I've been out of the groove a little bit, I've had a little bit of a writers block about what to write about. My last post was about using the CIS Benchmarks with AVD Multi-Session hosts. I wanted to expand on the topic some more, and touch on configuring the CIS Microsoft Windows 11 Enterprise Benchmark using Microsoft Intune, what settings aren't supported, what settings are supported, how to configure, and any gotcha's that we have experienced.

What is CIS?​

Simply put, CIS Benchmarks are a baseline of settings that will give you a secure environment. They are a guidance, and do not need to be configured 100% (despite what your security team says). Striving for 100% should be the goal, but honestly, isn't achievable in any organization I've been in. For more information on CIS, you can go to https://cissecurity.org

What's the difference between the Enterprise and the Intune benchmark?​

From CIS:

• Intune Benchmark:
  • The Microsoft Intune Windows Benchmarks are written for MDM-joined systems using Microsoft Intune device configuration profiles only. This benchmark is not intended for use on standalone or workgroup systems, systems joined to and receive policies from Active Directory, or systems created, maintained, or used in other Cloud offerings. This benchmark covers supported endpoint states for Entra Hybrid Joined and Entra Joined systems that receive policies from Microsoft Intune using Configuration Profiles only.
• Enterprise Benchmark:
  • The Microsoft Windows Benchmarks are written for Active Directory domain-joined systems using Active Directory’s Group Policy Manager only. This benchmark is not intended for use on standalone or workgroup systems, systems joined to a cloud offering, such as Entra ID, or systems created, maintained, or used in the Cloud. This benchmark covers supported endpoint states for Active Directory and Entra Hybrid joined systems that receive policies from Active Directory Group Policy Manager only.

But what if our org is hybrid and has regulations to adhere to?​

Too bad? Microsoft is pushing us to be modern managed, using Intune, and starting that journey by hybrid-joining your existing devices. Cool. Great. But what if I want to move away from Group Policy and use Intune configuration? You can do that. As you see, both benchmarks cover hybrid-join scenarios. The difference being is the amount of settings that are in each benchmark.

• If you have regulations to adhere to, you're probably going to be stuck with the Enterprise benchmark.
  • The decision should be made, use GPO even if you're hybrid joined?
    • That seems like a bad idea to me, as you want to avoid the conflicting configurations. Pick one or the other. You've already enrolled these in Intune, I would keep using Intune.
• If you don't have regulations to adhere to? Lucky you!
  • Use the Intune benchmark.
    • CIS does the hard work for you, the .json files are already there.
    • WARNINGS:
      • Don't just import the settings and apply to All Devices.
      • REVIEW THE SETTINGS, GET AN UNDERSTANDING OF THE POLICIES, AND GRADUALLY ROLL OUT THE POLICIES.
      • Push back on your security team if they say you need to implement all of these 100%. They're checking boxes, you have to deal with the support.

Downloading the Benchmark​

To download the kit to implement the benchmark, you need to have an account with CIS. That can be achieved by going to https://workbench.cisecurity.org/. I don't know the full ins and outs of the cost, as my organizations have always had the means one way or another.

To start, we're actually going to download the CIS Microsoft Intune for Windows 11 Benchmark v4.0.0. Why this over the enterprise flavor? We're going to use this as the starting point for our configuration, to see what works, and what doesn't work right out of the gate. The Enterprise baseline is group policy based, so that only has group policy templates. The Intune baseline has the proper .json files for importing into Intune.

• Once registered and signed-in, click on Benchmarks
• Search for CIS Microsoft Intune for Windows 11 Benchmark
• Click Files in the top right corner
• Click CIS Microsoft Intune for Windows 11 Benchmark v4.0.0 - Build Kit
• We're then going to download the .zip file
• Unzip the file

Importing the Benchmark​

Now that we have the benchmark downloaded and unzipped, we can then import into Intune.

The following is the .json files that are available to import, which makes this so much easier.

Importing and Configuring the Baseline​

Cool, now that we have them imported, we just select All Devices and away we go right? No. Don't do this. I can't stress that enough.

• Build a test VM or test device if you have one handy.

I won't walk you through that, as that's different for each org. Too many options to choose from. As Microsoft would say, do what fits your org.

I learned upon first import, the Windows LAPS configuration is missing. Looking at the folder structure under the L1 folder, I see these Settings Catalog profiles, and then a script to disable Services.

After reviewing the readme file, I noticed that the LAPS profile has to be configured manually. Importing profiles with the endpoint security blade is a tricky item in Intune, and really a pain.

From the ReadMe file:

For 100% benchmark compliance, perform the following steps:

1. Import desired profile from ".\Settings Catalog" folder into Intune ex: “CIS (L1) Defender - Windows 11 Intune 3.0.0.json”.
2. Run scripts in ".\System Service Scripts" folders either locally, via Intune script manager or your preferred method.
3. Configure LAPS settings in the "Endpoint security > Account protection" section in Intune admin center as outlined in the benchmark.

What I haven't done at this point is assign the baseline to my group and test VM. What I want to do first is scan the system with a fresh build, and see what the configuration looks like out of the gate. Now, this will be different in every organization, as you might have some GPOs applying, settings applying during the build process, etc that will change the score slightly. Ideally, you'll have a pretty crappy score. If not, that means you have configurations in place already. As much as possible, you'll want to transition those policies out of wherever they are, and into Intune so you can manage the policies from a central location.

CIS-CAT Assessor​

To review what is being applied, CIS also has a tool called CIS-CAT Assessor. This can be downloaded at this site, https://workbench.cisecurity.org/download/cis-cat/assessor. You will also need a license file, which will go in the license folder of the extracted zip file. Download all of this on your freshly built VM, as we're only going to run this locally and not over a network.

Fresh Build​

When I run the CIS-CAT Assessor, I am going to choose both the CIS Microsoft Intune for Windows 11 Benchmark and the CIS Microsoft Windows 11 Enterprise Benchmark for assessment. Typically, I choose output to an HTML file also. This is just easier for my eyes to read, to each their own.

Out of the gate, with no policies applied, I achieved the following results:

• CIS Microsoft Intune for Windows 11 Benchmark
  • 337 settings
  • Pass: 57 settings
  • Fail: 273 settings
  • Score: 17%
• CIS Microsoft Windows 11 Enterprise Benchmark
  • 406 settings
  • Pass: 86 settings
  • Fail: 318 settings
  • Score: 21%

What this tells me is that some of the settings defined in the benchmarks are default settings that Microsoft sets. I've added CSV files of the scan results, so you'll be able to see what settings are already configured with a freshly imaged device. A debate could be had on whether you need to configure these or not, as it would take someone with administrative rights to change the policies anyways. Files can be found here: https://github.com/Pacers31Colts18/Intune/tree/main/CIS%20v4.0

Applying Imported CIS Microsoft Intune for Windows 11 Benchmark​

Now that we have the initial baseline established, we are ready to assign the policies we imported earlier into Intune. Typically when I am piloting, I will create a group, exclude from the previous policies, and apply to the new policies. Because this is in my lab, I don't really have any policies. If you do have policies, you'll want to have this configured before you run the scores on the fresh build, or you will have mixed results of policies already applying.

After some time, the policies should be applying, you can tell if the policy has applied, simply by rebooting the device. You should see this on the logon screen.

Remember how I said don't just apply this without any thought? This is what happens.

Attempting to run the CIS-CAT assessor again, I now get this error message.

And another error! The policies are doing their job

Instead of using a standard user account, I am going to login as my Administrator account now to run the CIS-CAT Assessor.

I'm now ready to run the CIS-CAT Assessor again, and have achieved the following results:

• CIS Microsoft Intune for Windows 11 Benchmark
  • 337 settings
  • Pass: 320 settings
  • Fail: 12 settings
  • Error: 5 settings
  • Score: 95%
• CIS Microsoft Windows 11 Enterprise Benchmark
  • 406 settings
  • Pass: 257 settings
  • Fail: 147 settings
  • Error: 0 settings
  • Score: 64%

What didn't apply correctly?​

CIS Microsoft Intune for Windows 11 Benchmark​

• Errors:
  • (L1) Ensure 'Turn off toast notifications on the lock screen (User)' is set to 'Enabled'
  • (L1) Ensure 'Do not preserve zone information in file attachments (User)' is set to 'Disabled'
  • (L1) Ensure 'Notify antivirus programs when opening attachments (User)' is set to 'Enabled'
  • (L1) Ensure 'Prevent users from sharing files within their profile. (User)' is set to 'Enabled'
  • (L1) Ensure 'MSI Always install with elevated privileges (User)' is set to 'Disabled'
• Fails:
  • (L1) Ensure 'Allow Spotlight Collection (User)' is set to '0'
  • (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'
  • (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'
  • (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'
  • (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'
  • (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'
  • (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'
  • (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'
  • (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'
  • (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'
  • (L1) Ensure 'Generate Security Audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
  • (L1) Ensure 'Impersonate Client' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

I see themes here:

1. User settings not applying properly. I've ran into this in the past. The CIS-CAT Assessor scans all user profiles, even if they are not sync'd to Entra. For example, if I had logged in with my local administrator account (which I had), CIS-CAT will then scan that path in the registry and report back a failure. For that, I'm not going to worry about these settings.

2. System Services. CIS has this configured as a Platform Script, rather than a remediation script with Write-Host being used. Logging is not being written locally on the device. Reading the comments on the script, I can see that it most likely will need to be modified:

   The purpose of this script is to configure a system using the recommendations 
   provided in the Benchmark, section(s), and profile level listed above to a 
   hardened state consistent with a CIS Benchmark.
   
   The script can be tailored to the organization's needs such as by creating 
   exceptions or adding additional event logging.
   
   This script can be deployed through various means, including Intune script 
   manager, running it locally, or through any automation tool.
   

3. User Rights Assignment. This doesn't seem to be getting set correctly. Opening GPEdit and looking at the User Rights Assignments, I see this:

Looking in the registry at PolicyManager (HKLM:\Software\Microsoft\PolicyManager\providers\guid\default\Device\UserRights), I see that Intune says it's setting the policy correctly, but it's not actually setting. Fun times:

From here, I would be looking at re-writing the Services script, most likely to separate them out and run as Remediations instead with proper logging. This will allow me to be more granular, as we do have a lot of exceptions for developers and such in our environment. The user policies is an area we have just kind of accepted failure on, and just look for the users we are actually targeting for success/failure, not all the accounts as our administrative accounts are not being sync'd into Entra. The User Rights Assignment, that's a tricky one and most likely something Microsoft needs to look into.

CIS Microsoft Windows 11 Enterprise Benchmark​

For the Enterprise benchmark, this is where it becomes more fun. Like I said earlier, the Enterprise benchmark is based off Group Policy, where the Intune benchmark is based off CSP. So we'll be running into some mapping issues, as Microsoft in all their wisdom, is not consistent in how settings are being applied. Some Intune settings map back to GP registry settings, some do not. No errors this time, so that's a win! I've gone through the list, pulled out all the Fails, and then have done a comparison between the Intune benchmark and the Enterprise benchmark. From there, I've documented what is supported in Intune, vs what is not supported. I've also found all the corresponding registry paths. It's a little bit confusing, but the way I describe it to people is like this (hopefully someone can correct me, or point me in a better direction):

• Look at the Policy CSP documentation
  • Anything that begins with ADMX_ is considered ADMX backed
    • For the most part ADMX backed settings then write to the GPO based registry path
  • Anything that doesn't begin with ADMX_ is not ADMX backed
    • Some might write to the GPO registry location.
    • Some might not.
    • Some in even the same CSP area will have different results.

All the data from the failures can be found on my Github. I initially tried to put everything in here, but gave myself more of a headache doing it that way. I've gone through about five iterations of this before just landing on an Excel spreadsheet.

Supplementing/Remediating Failures​

Confused yet? So am I. Okay, from here, the focus will be on the Enterprise benchmark from here on out.

Looking at the spreadsheet (Main tab), I see a few different themes:

• Intune supported, not in Intune benchmark
  • 22 settings
• Not Intune supported, not in Intune benchmark
  • 40 settings
• Intune supported, settings that write to different registry paths
  • 100 settings

Breaking it down by CIS Category:

• Section 1: Account Policies
  • 5 failures
    • 1 Intune supported, not in Intune benchmark
    • 4 Not Intune supported, not in Intune benchmark
• Section 2: Local Policies
  • 8 failures
    • 2 Intune supported, not in Intune benchmark
    • 6 Not Intune supported, not in Intune benchmark
• Section 5: System Services
  • 9 failures
    • 4 Intune supported, failing from the Platform Script (Xbox)
      • Created a supplemental Services policy (see below)
    • 5 not Intune supported, still failing from the Platform Script
  • Section 9: Windows Defender Firewall with Advanced Security
    • 23 failures
      • 23 Intune supported, settings that write to different registry paths
        • CSP writes to HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\MDM*ProfileName* rather than HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy*ProfilesName*
  • Section 18: Administrative Templates (Computer)
    • 98 failures
      • 33 Not Intune supported, not in Intune benchmark
      • 17 Intune supported, not in Intune benchmark
      • 46 Intune supported, settings that write to different registry paths
  • Section 19: Administrative Templates (User)
    • 4 failures
      • 3 Intune supported, not in Intune benchmark
      • 1 Intune supported, settings that write to different registry paths

Intune Supported, not in Intune benchmark​

I've now created four new profiles:

• CIS (L1) - Win11 Enterprise - Administrative Templates (Computer)
• CIS (L1) - Win11 Enterprise - Administrative Templates (User)
• CIS (L1) - Win11 Enterprise - Local Policies
  • Note: Baseline calls for "Audit All or Higher", Audit All is not a setting in Intune despite the CSP documentation saying otherwise. Great job!
  • I didn't set this in the below results as it was either Allow All, or Deny.
  • See docs: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_restrictntlm_outgoingntlmtraffictoremoteservers
• CIS (L1) - Win11 Enterprise - System Services

These should cover the settings that are Intune supported, but not in the Intune benchmark.

Not Intune Supported, not in Intune benchmark​

For settings that are not configurable in Intune, there are multiple different ways the settings can still be configured

• Custom OMA-URI
  • What I consider "Supported" is in the Settings Catalog, I didn't look at what is configurable through Custom OMA-URI.
• Remediation Scripts
  • You could do a detection/remediation script through Intune
  • Microsoft Learn
• SCCM Configuration Items/Baselines
  • If you have SCCM or another tool, you could use Configuration Items to configure this.
  • Microsoft Learn
• Group Policy
  • If you're hybrid joined, which is what this post is covering, you could also revert back to using Group Policy.

My preference (just mine), I prefer to use Remediation Scripts or Configuration Items. We started with Configuration Items, and are now starting to push those towards Remediation Scripts to have everything in one tool.

Settings that write to different registry paths​

This is where you need to explain to your security team that Microsoft in all it's wisdom is writing values to different registry locations. There are options, if you're a member of the CIS Workbench, you can fork the benchmark and create you're own. Depending on your org structure though, I would say that should be something dependent on the security team to accomplish and not anyone on the endpoint team.

Re-running the scans​

After setting up the above policies, I re-ran the scans, and achieve the following for the Enterprise benchmark:

Results file

• CIS Microsoft Windows 11 Enterprise Benchmark
  • 406 settings
  • Pass: 273 settings (up from 257)
  • Fail: 131 settings
  • Error: 0 settings
  • Score: 68%

The rest of the results are mainly going to be from a registry path mis-match. One area I do want to call out is the Account Policies section, setting this through Intune can have undesirable affects. For that reason, we've typically left this out of Intune all together.

Conclusion​

As you can see, there is still work to be done, but most of the work from here on out is going to be talking with the security team.

• The banner will need to be updated, have someone (legal?) come up with a banner that suits your org.
• If using Windows Hello, there are a handful of settings that can be tweaked to make a better experience (new blog post coming later)
• If using Configuration Manager, don't set the Windows Update settings, let the client take care of that.
  • Research Dual Scan issues.
• Find what does and doesn't work in your org, pilot everything for a while before rolling out.
  • Don't just take my word for it, I'm just a random guy on the internet.
• Explain the settings to your security team
  • Point them to this excel spreadsheet showing the registry differences.

If you're not subject to regulatory requirements that rely on the Enterprise Benchmark, use the Intune benchmark. If you do rely on the Enterprise benchmark, you have decisions to make. We were already well on the way to Intune, and as more and more settings become configurable, we're only going to see our numbers (hopefully) increase. Still, there is a strong chance Microsoft will write to different registry locations. I would continue to push on the regulatory bodies (and possibly CIS) to include additional checks in the audit files.

Please reach out if you have any questions about this article, always happy to help out when I can.

It's Memorial Day Weekend here in the States, which means it's Indy 500 Weekend. It also means my Indiana Pacers are up 2-0 on the New York Knicks. If you know me, I'm a huge Pacers fan. With that comes a hatred for the Knicks, so right now I am giddy. Game 3 is tomorrow in Indianapolis, and the same day as the Indy 500. Back in Indy, we call that Racers and Pacers Weekend. I don't miss Indiana much for anything at all, but events like this, I do miss. Indianapolis knows how to do sporting weekends right. Without being back in Indy, my family and I will most likely be cooking some hot dogs, eating some s'mores, and burning all the downed sticks and brush from the recent storms. My daughter is also looking into getting into mountain biking, so I have been going down the internet rabbit hole looking for a decently priced mountain bike.

I've had this idea on my mind, and asked Steve Jesok the question at MMS during his session on Intune Remediation Scripts and SCCM Configuration Items. "Does anyone have a way to convert registry based configuration items to Intune Remedation Scripts? Steve was unaware of anything out there. I'm also not entirely sure how useful this would be for admins out there. If already using PowerShell based detection and remediation in SCCM, this isn't really applicable. If you're using the "GUI method" of looking for a registry key, and then remediating off of that, then this post might be for you.

What is a Remediation Script?​

Intune Remediations - Microsoft Learn. Simply put, a Remediation Script is a "detection" and a "remediation". If the detection script detects the state is not correct (Non-Compliant), it will then go onto the Remediation portion.

With Intune, we do have a limit of 200 remediation scripts, which compared to SCCM, is quite small. I like to think of a Remediation Script as being equal to a Configuration Baseline. I don't think we should be doing single actions necessarily, but combining like actions together. In this post, I'll be combining Services together, where I'll want to set multiple Windows Services to a Disabled status.

What do you mean by "GUI Method"?​

Anything that's not script based using Powershell/VBScript/etc, but configurable through the GUI.

Pre-Requisites​

I've added all the files needed for this on my GitHub page.

• Intune Detection Template
• Intune Remediation Template
• Convert Configuration Items to Remediation Script

Walkthrough

Before getting too far into this, my method only works with the templates above for an Intune Detection and Remediation Script. What we're doing is taking these template files, and then doing some manipulation with PowerShell. Working on a team of 6 other engineers, we're trying our best to have repeatable practices, and make the code readable for everyone else. By having a template, this makes things much easier for us to know what is going on. The long-term goal is to also combine this with GitHub Actions and have a repository of code that requires code review and a more DevOps mindset. We're not 100% there yet, but we're working our way to that goal.

Intune Detection and Remediation Template​

I feel like these are pretty self explanatory. As I said earlier, we're thinking of this as more of a Configuration Baseline mindset, where you combine multiple Configuration Items into a Baseline. We're trying our best to not have a single script doing one single purpose (although there are use cases for that). With a large environment, we're trying to avoid the unknown of the future with a 200 script limit.

By having a PowerShell array for the registry key detection, we're able to achieve this with this method.

Converting Configuration items to Remediation Scripts​

I like to try to walk through what I am doing, mainly to kinda serve as a way to document my thoughts and what the heck I was doing. But hopefully people are finding this useful also. I don't consider myself to be the best at this by any means, so hopefully my stumbling explanations will serve somebody out there!

A couple thoughts before I go into the code:

• I've started using CoPilot to provide the comment-based help in my code. Freaking amazing. Such a time saver, highly recommended.
• I hate the name of this function. Any suggestions?

Parameter Block​

At the beginning of the function is the parameters. You can input multiple configuration items through an array, or you can provide no configuration item and get a Out-GridView that will allow you to multi-select Configuration Items. We also have a ValidateSet that will allow you to choose if you only want a Detection Method, or a Remediation, or both. I don't really know why you would just want a Remediation Script, but maybe you already have a Detection Method in place? By default, it's going to default to both a Detection and Remediation Script.

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory = $False)]
        [array]$configurationItem,
        [Parameter(Mandatory = $False)]
        [ValidateSet("Detection", "Remediation", "Detection/Remediation")]
        $scriptType = "Detection/Remediation"
    )

Authentication, Declarations​

I'm capturing the present working directory ($pwd) to put the location back to once the function is finished. We're also providing authentication to CM, as you will need access to CM to pull the Configuration Items. After that, my declarations are very repeatable, but the last 4 lines are customizable to fit your needs.

$templateDetectionScript and $templateRemediationScript should be the files on my GitHub, just change to the location that fits for you. $OutputDetectionScript and $OutputRemediationScript are where the files will be saved to, with the name of the function and the date ran.

$StartingLocation = $pwd

    #region ConfigMgr Authentication
    $SiteCode = "JL1"
    Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1"
    Set-Location "$SiteCode`:"
    #endregion

    #region Declarations
    $FunctionName = $MyInvocation.MyCommand.Name.ToString()
    $date = Get-Date -Format yyyyMMdd-HHmm
    if ($outputdir.Length -eq 0) { $outputdir = $pwd }
    $OutputFilePath = "$OutputDir\$FunctionName-$date.csv"
    $LogFilePath = "$OutputDir\$FunctionName-$date.log"
    $templateDetectionScript = "C:\Users\jlove\test\Intune-Registry-Detect.ps1"
    $templateRemediationScript = "C:\Users\jlove\test\Intune-Registry-Remediate.ps1"
    $OutputDetectionScript = "$OutputDir\detect_$FunctionName-$date.ps1"
    $OutputRemediationScript = "$OutputDir\remediate_$FunctionName-$date.ps1"
    $ResultsArray = @()
    #endregion

Gathering the Configuration Items​

In the first part, if you do not input a configuration item in the parameter block, you'll get a popup from Out-GridView allowing you to multi-select configuration items. I forget who I found this little trick through, but I've been trying to put the Out-GridView selection into everything I do since then. I find it to be so helpful. If you did input configuration items in the parameter block, then we are doing a search for those configuration items, and then adding them to an array.

 #region Configuration Items
    if ($null -eq $configurationItem) {
        $resolvedConfigurationItems = (Get-CMConfigurationItem -Name * -Fast | 
            Select-Object DateLastModified, InUse, LocalizedDescription, LocalizedDisplayName, ObjectPath |
            Out-GridView -PassThru).LocalizedDisplayName
    }
    else {
        $resolvedConfigurationItems = @()
        foreach ($item in $configurationItem) {
            $resolvedItem = (Get-CMConfigurationItem -Name $item -Fast).LocalizedDisplayName
            if ($resolvedItem) {
                $resolvedConfigurationItems += $resolvedItem
            }
            else {
                Write-Warning "Could not resolve configuration item: $item"
            }
        }
    }
    #endregion

Building the Configuration Items for Conversion​

With how the data is stored in CM, I found I had to do some manipulation to then get it to work with PowerShell.

• For the $complianceRules section, in our environment we are looking for a "Value" and checking to make sure the item "Exists". Because of that, I only wanted to grab what is a value, so I put a Where-Object on this.
• Similar with $complianceSettings, I don't want to grab anything that's already a script, just anything where the sourceType = Registry. If it's not Registry-based, I'm simply skipping over all of that. There are other ways to export those scripts.
• Switch is somewhat new to me, and I've been trying to use that more also. CM stores the items as Int64, String, and StringArray (amongst some others), but using PowerShell, they need to be DWORD, STRING, MULTISTRING, so I am converting to that format.
• I also need to change HKEY_LOCAL_MACHINE to HKLM: and HKEY_CURRENT_USER to HKCU:.
• Once all the data is manipulated how I want, I'm adding everything to a PSCustomObject, and then storing in a $ResultsArray.

#region Compliance Rules/Compliance Settings
    foreach ($item in $resolvedConfigurationItems) {
        Write-Output "Processing configuration item: $item"

        $complianceRules = Get-CMComplianceRule -Name $item -WarningAction Ignore | 
        Where-Object { $_.expression.operands.methodtype -eq "Value" }

        $complianceSettings = Get-CMComplianceSetting -Name $item -WarningAction Ignore | 
        Where-Object { $_.sourceType -eq "Registry" } | Select-Object -Unique

        if (!$complianceSettings) {
            Write-Warning "Configuration Item '$item' is not Registry-based. Skipping..."
            continue
        }

        foreach ($rule in $complianceRules) {
            foreach ($setting in $complianceSettings) {

                $settingdatatypeName = switch ($setting.settingdataType.Name) {
                    "Int64" { "DWORD" }
                    "String" { "STRING" }
                    "StringArray" { "MULTISTRING" }
                    default { $setting.settingdataType.Name }
                }

                $settingLocation = $setting.location -replace '^HKEY_LOCAL_MACHINE', 'HKLM:' -replace '^HKEY_CURRENT_USER', 'HKCU:'
                $result = New-Object -TypeName PSObject -Property @{
                    RuleValue       = $($rule.expression.operands.Value)
                    SettingDataType = $settingdatatypeName
                    SettingPath     = $settingLocation
                    SettingName     = $($setting.ValueName)
                }

                $ResultsArray += $result
            }
        }
    }

    if ($ResultsArray.Count -eq 0) {
        Write-Warning "No registry-based configuration settings found in any selected Configuration Items."
        return
    }
    #endregion

Building the Registry Keys​

In this region, we're simply taking the results from the $ResultsArray and converting to the format needed in the Detection and Remediation Scripts.

#region Build RegistryKeys content
    $registryKeysContent = @()
    $registryKeysContent += "`$RegistryKeys = @("
    foreach ($result in $ResultsArray) {
        $registryKeysContent += "    @{ Path = `"$($result.SettingPath)`"; Name = `"$($result.SettingName)`"; Type = `"$($result.SettingDataType)`"; Value = `"$($result.RuleValue)`" }"
    }
    $registryKeysContent += ")"
    #endregion

Modifying the templates, saving the new files.​

• The IndexOf, we're looking for the correct lines in the detection and remediation script, and if not, we're leaving those sections as is. In simple terms, we're only looking to modify a certain block of text in the two template files, and add on to it with whatever is in the ResultsArray.
• Once all that is finished, we're then saving as a new PowerShell file, with the right encoding.
• We have checks from the parameter block looking for either Detection, Remediation, or both.

 #region Detection Script
    if ($scriptType -eq "Detection" -or $scriptType -eq "Detection/Remediation") {
        $detectiontemplateLines = Get-Content $templateDetectionScript
        $detectionstartIndex = $detectiontemplateLines.IndexOf('$RegistryKeys = @(')
        $detectionendIndex = $detectiontemplateLines.IndexOf(')')

        if ($detectionstartIndex -eq -1 -or $detectionendIndex -eq -1) {
            Write-Warning "Could not find `$RegistryKeys block in the detection template. Check formatting."
        }
        else {
            $detectionnewContent = @()
            $detectionnewContent += $detectiontemplateLines[0..($detectionstartIndex - 1)]
            $detectionnewContent += $registryKeysContent
            $detectionnewContent += $detectiontemplateLines[($detectionendIndex + 1)..($detectiontemplateLines.Length - 1)]

            $detectionnewContent | Out-File $OutputDetectionScript -Encoding utf8
            Write-Output "Detection script saved as: $OutputDetectionScript"
        }
    }
    #endregion

    #region Remediation Script
    if ($scriptType -eq "Remediation" -or $scriptType -eq "Detection/Remediation") {
        $remediationtemplateLines = Get-Content $templateRemediationScript
        $remediationstartIndex = $remediationtemplateLines.IndexOf('$RegistryKeys = @(')
        $remediationendIndex = $remediationtemplateLines.IndexOf(')')

        if ($remediationstartIndex -eq -1 -or $remediationendIndex -eq -1) {
            Write-Warning "Could not find `$RegistryKeys block in the remediation template. Check formatting."
        }
        else {
            $remediationnewContent = @()
            $remediationnewContent += $remediationtemplateLines[0..($remediationstartIndex - 1)]
            $remediationnewContent += $registryKeysContent
            $remediationnewContent += $remediationtemplateLines[($remediationendIndex + 1)..($remediationtemplateLines.Length - 1)]

            $remediationnewContent | Out-File $OutputRemediationScript -Encoding utf8
            Write-Output "Remediation script saved as: $OutputRemediationScript"
        }
    }
    #endregion
    Set-Location $StartingLocation
}

Script Example​

In my example, I have a set of Configuration Items that are setting Windows Services to Disabled in the registry. I'm wanting to take those, and convert them to an Intune Remediation Script.

I ran the function without inputting any configuration items, or choosing what method I want. Who is to remember the names of these anyways?

I am now prompted to select what Configuration Items I want to include. I want all of them that are Services

I want some pretty output telling me what is happening

I now have both a Detection and Remediation Script!

Conclusion

Next step would be to tie this all to a GitHub Action, and have this upload to Intune, following proper code review using branch protection. Again, maybe you already had PowerShell scripts in CM. You were more thoughtful than me (we are about 50/50). If not, you now have a way to convert those more easily.

Have a great weekend everyone! GO PACERS

What a week! Last week was MMS MOA 2025, and I still have this odd hangover from the week that I'm trying to recover from. The past couple nights I've been in bed by 8-9 p.m., which for my 40 year old self, isn't that far off. The haze in general is starting to wear off, and I'm starting to get back into the swings of every day life and every day work. I always come out of MMS with such excitement, but then typically there are the work challenges that get in the way. Never the fault of the actual team I'm on mind you, just work in general. I thought about making a post about all the sessions, all the fun, and everything else that makes MMS great, but my brain is foggy, and I don't know that I could do the week proper justice.

One of the questions I asked in a session about the Open Intune Baseline was surrounding AVD, and how to manage multi-session hosts. For those unfamiliar, AVD Multi-Session is running a "ServerRDSH" SKU, which, accurate or not, I think of these as Terminal Servers running a Windows 11 like operating system. With that, there are challenges with managing these in Intune. Microsoft, has IMO a pretty poorly written [Microsoft Learn[(https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/azure-virtual-desktop-multi-session)] article, that vaguely lays out the limitations. As we've started on the AVD path, and with the amount of clicks it takes in Intune to see what settings are actually applying and what are Not Applicable, we noticed quite the drift in our settings, especially when configuring the CIS L1 Baselines. In our case, due to auditing purposes, we use CIS Windows 11 Enterprise L1, rather than the Intune baseline that has been developed.

Once we figured out there was a limitation in the settings, I got thinking, how can we gather this data and actually know what is applying?

Graph API for the win​

When the Graph API first came out, I was confused on how this worked. Granted, I'm still confused, but just not as confused. In ITIL terms, that is considered progressing iteratively. We looked at the Graph SDK, and I quickly got frustrated by the length of some of the cmdlets, and the inconsistencies. So rather than fumbling with the cmdlets, I've really dove into the Graph API, and found it so much more repeatable and enjoyable. There are still gotchas, and I'm still trying to really figure out the syntax on searching, but I'm getting better.

I wrote a quick function, called Export-IntuneConfigurationSettings. What this allows me to do is search the Graph URI "https://graph.microsoft.com/beta/deviceManagement/configurationSettings", for settings and return the data from that. (Settings Catalog backed only)

Walking through the script​

I don't like to just link a script and leave it at that, so let's walk through it.

Parameters, Connection, Declarations​

If you've seen past posts from me, a lot of what I write I like to make very repeatable. To be honest, I do a lot of copying and pasting. But, it makes things easier for me, and I like to think easier for the people I work with when they look at our modules and functions and see repeatable code, rather than something crazy.

            $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationSettings"
            $Settings = (Invoke-MGGraphRequest -Method Get -Uri $uri).value

Based off the connection above, I was able to find all the different operating system skus that are available on the Windows side in Intune. For this purposes (and most), I don't really care too much about iOS, Android, or Mac, so I'm just including Windows based operating systems.

$settings.applicability.windowsskus

This will give you the direct path to the full list of the WindowsSkus.

[CmdletBinding()]
    Param(
        [Parameter(Mandatory = $True,
            HelpMessage = "Choose from the following: All, windowsCloudN, windows11SE, iotEnterpriseSEval, windowsCPC, windowsEnterprise, windowsProfessional, windowsEducation, holographicForBusiness, windowsMultiSession, iotEnterprise")]
        [ValidateSet('All', 'windowsCloudN', 'windows11SE', 'windows11SE', 'iotEnterpriseSEval', 'windowsCPC', 'windowsEnterprise', 'windowsProfessional', 'windowsEducation', 'holographicForBusiness', 'windowsMultiSession', 'iotEnterprise')]
        [string]$Scope
    )

As you can see above, I'm doing a ValidateSet and giving options on the different SKUs to choose from, or you can select All.

    # Microsoft Graph Connection check
    if ($null -eq (Get-MgContext)) {
        Write-Error "Authentication needed. Please connect to Microsoft Graph."
        Break
    }

    #region Declarations
    $FunctionName = $MyInvocation.MyCommand.Name.ToString()
    $date = Get-Date -Format yyyyMMdd-HHmm
    if ($outputdir.Length -eq 0) { $outputdir = $pwd }
    $OutputFilePath = "$OutputDir\$FunctionName-$date.csv"
    $LogFilePath = "$OutputDir\$FunctionName-$date.log"
    $ResultsArray = @()
    #endregion

This section is basically in all the code I have. In my profile, I have an $outputDir that I am setting, just a default path to dump all my files. If that is not present, than it will dump to present working directory.

Gathering the settings​

Now, we're ready to gather the settings. Based on the $Scope above, I have a Switch statement, one that is looking for ALL the settings, and one looking for settings based on a specific SKU.

 #region Gather the settings
    Switch ($Scope) {
        "All" {
            $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationSettings"
            $Settings = (Invoke-MGGraphRequest -Method Get -Uri $uri).value
        }
        Default {
            Try {
                $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationSettings?`$search=%22|||WindowsSkus=$Scope|||%22"
                $Settings = (Invoke-MGGraphRequest -Method Get -Uri $uri).value
            }
            Catch {
                Write-Error "Error gathering Settings: $_"
            }
        }
    }
    #endregion

Building the object, outputting the results​

Now that we have the data, we can then build it into a PSCustomObject, and output the results. Nothing too crazy here, this is the data I found most intriguing, but there is a ton of information in the Graph API for this. Once that is done, we're outputting the results to a CSV file to look at later.

#region Build Object
    foreach ($item in $Settings) {
        $result = New-Object -TypeName PSObject -Property @{
            Name                    = $item.Name
            Keywords                = $item.Keywords -join "; "
            RootDefinitionId        = $item.RootDefinitionId
            DisplayName             = $item.DisplayName
            HelpText                = $item.HelpText
            OffsetURI               = $item.OffsetURI
            InfoUrls                = $item.InfoUrls -join "; "
            MinimumSupportedVersion = $item.applicability.MinimumSupportedVersion
            WindowsSkus             = $item.applicability.WindowsSkus -join "; "
        }
        $ResultsArray += $result
    }
    #endregion

    #region Results
    if ($ResultsArray.Count -ge 1) {
        $ResultsArray | Sort-Object -Property DisplayName | Export-Csv -Path $OutputFilePath -NoTypeInformation
    }

    # Test if output file was created
    if (Test-Path $OutputFilePath) {
        Write-Output "Output file = $OutputFilePath."
    }
    else {
        Write-Warning "No output file created."
    }
    #endregion

The Data​

I've uploaded the raw CSV file on my Github, along with some other files.

CSV output for All CSV output for Multi-Session

Initial count:

• 16232 lines/settings for All
• 13288 lines/settings for Multi-Session
• 13739 lines/settings for Windows Enterprise

Quite the difference, even between Multi-Session and Enterprise

CIS Benchmarks​

The last bit of this post, is how this relates to CIS Benchmarks. When I first started looking at this, we were (and still) are on Enterprise v3.0.0. Since then, v4.0.0 has been released, along with v4.0.0 of the Intune benchmark. Rather than go back and re-work all the data, which was becoming to annoying for me. I've included three tabs, one for CIS Windows 11 Enterprise v3.0.0, one for CIS Windows 11 Enterprise v4.0.0 (only the new settings), and one for CIS Windows 11 Intune v4.0.0

The data for that can also be found on my GitHub

Breakdown of each tab:

• v3.0.0 Windows 11 Enterprise L1
  • 61/384 settings are Intune configurable but not AVD Multi-Session scoped.
    • Intune configurable = Settings Catalog configurable, no custom ADMX, CSP, Remediation, etc.
  • 82/384 settings are not Intune configurable, meaning they are not an option in the Settings Catalog
    • Or they could be names I couldn't find, looking at you One Drive instead of OneDrive!
  • 143/384 settings are not supported in Intune for AVD Multi-Session hosts
• v4.0.0 Windows 11 Enterprise L1
  • Like I said, a new benchmark released, so this tab is a little bit of a work in progress here.
  • 3/31 settings are Intune configurable but not AVD Multi-Session scoped.
  • 10/31 settings are not Intune configurable, meaning they are not an option in the Settings Catalog
  • 13/31 settings are not supported in Intune for AVD Multi-Session hosts (adding in the v3.0.0 settings to get the full picture)

Before I go too much further, I do want to recognize that CIS says the Intended Audience for these benchmarks are:

We're in this situation where we have multiple forests, hybrid joined, and no longer wish to manage our settings with Group Policy. Due to regulations, we also need to adhere to IRS config standards, which use the Enterprise benchmarks. I don't believe we're the only ones out there doing this, as Microsoft's stance has been to push users towards Intune management rather than Group Policy management, so this is the pickle we are in.

Mini disclaimer over

For work purposes, the Enterprise benchmarks is all I really care about, but for everyone else, I wanted to provide the Intune benchmark data also.

• v4.0.0 Microsoft Intune for Windows 11
  • 86/337 settings/lines are Intune configurable but not AVD Multi-session scoped.
  • 16/337 settings are not Intune configurable, meaning they are not an option in the Settings Catalog.
    • Note: These are named properly from CIS, where the Enterprise uses Group Policy naming convention.
      • Next rant: You think they could standardize the naming scheme for us between GPO and Intune? That'd be super neat.
  • 102/337 settings are not supported in Intune for AVD Multi-Session Hosts

Big Takeways​

• For some reason, User Rights Assignments aren't supported. Why? Beats me. It seems like you would want these to be configurable, but maybe I am missing something.
• ASR Rules aren't supported. I'm assuming you just wouldn't want processes to start getting blocked on these and locking users out?
• Services, not Intune supported at all, but maybe one day?
• The rest seem like random settings to me. I don't really see a rhyme or reason really to why some would be supported, but some aren't. Example: Allow Cortana = Supported. Allow Cortana Above Lock = Not Supported

Conclusion​

Really, this was more of an awareness post more than anything. I think a lot of us are new to the AVD/VDI/Virtual world, coming mainly from a physical workstation side of the house. I've touched Citrix, but it's been many years ago. With Intune and now Microsoft having AVD, it seems orgs are sort of combining the teams and hoping to set the policies the same as a workstation. To me it makes total sense to go this route, but there are some catches and things to consider, especially with Intune. Hopefully this will help someone else out, and be able to catch settings not applying more easily.