post image

Intune and Power BI Deep Dive - Part 9 - Connectors and Tokens

post image

Intune and Power BI Deep Dive - Part 8 - Autopilot Devices

post image

Intune and Power BI Deep Dive - Part 7 - Managed Applications

post image

Intune and Power BI Deep Dive - Part 6 - Managed Devices

post image

Intune and Power BI Deep Dive - Part 5 - Heavy Lifting

post image

Intune and Power BI Deep Dive - Part 4 - Get-BearerToken

post image

Intune and Power BI Deep Dive - Part 3 - Exploring Graph URLs

post image

Intune and Power BI Deep Dive - Part 2 - Application Registration

post image

Intune and Power BI Deep Dive - Part 1 - Where to Start

post-thumb

Handy Windows 11 Collections for Configuration Manager

Are you ready for Windows 11? No? Why not? Windows 10 deadline is fast approaching - just look at the title image its already starting to fade away… I kid you not October will be here quick as a flash and there’s much to do. Recently I’ve had a couple of Configuration Manager customers, starting their journey to Windows 11 and as a result I thought I’d create this short blog post on some useful Configuration Manager collections I’ve used to aid my customers on their journey.

A well-structured deployment strategy is crucial for a smooth rollout, and some customers still use Microsoft Configuration Manager (SCCM/MEMCM) which plays a strong role in certain upgrade plans. As with dynamic membership rules in Intune, one of the most powerful tools within Configuration Manager is its ability to create dynamic device collections from a massive plethora of conditions, allowing IT teams to segment and control deployments with more precision.

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 9 - Connectors and Tokens

In this post I’m going to cover (some) connectors and tokens in Microsoft Intune. In particular, how we pull in the data from them into Power BI. These are going to be slightly different to the preceding posts as these will only take one form, a direct call. The difference here is that we’re not using a logic app, we’re just calling the API and processing the result. This is what I mean by a “direct Microsoft Graph call”, no pagination required so the Power Query M will take the form of first getting a bearer token for authorisation and then using the token to authenticate against the graph and ultimately passing the data back for us.

Continue Reading
post-thumb

Troubleshooting SAML Auth on FortiClient VPN when applying Microsoft Security Baselines

Dearest gentle reader… (Yes, my wife is making me watch that Bridgerton series on netflix, so I may speak like a 19th century gentlemen during this blog post… or not…) I recently wrote about Center for Information Security (CIS) and how those configurations broke Windows Autopilot. It then developed into a series on CIS with another gentleman of the manor, Nick Benton. And so, speaking of security posture, on my latest customer engagement they wanted to modernise their Windows Management and explore Entra joined only devices using Autopilot, but also, to improve their security configuration by using Microsoft Security Baselines - which of course I did but in doing so this broke their SAML authentication on Forticlient VPN - so here’s the story of how I fixed it.

Continue Reading
post-thumb

Intune Defender for Endpoint Connector

Defender for Endpoint, are you licensed for it? Are you using it? Are you using Intune? Then why are you not using the Intune Connector for Microsoft Defender for Endpoint (MDE)? In this article I will hope to explore this on your behalf and share my findings. Microsoft Defender for Endpoint and Intune can be integrated to enhance your organisation’s security posture by enabling endpoint protection, threat detection, and response capabilities across all managed devices. This integration allows for the sharing of security information and the application of compliance policies based on threat intelligence.

So, what do we need to be able to use this? Lets take a look at the minimum requirements for Defender for Endpoint?

Continue Reading
post-thumb

CIS Intune Baselines - What do they break?

(And yes I know…. AI Generated blog post images are beginning to get a bit cringe… but I actually liked this one so I rolled with it)

Hello again folks, today we’re talking CIS. What is it and more specifically what does it break? Here in the UK, everyone talks about NCSC baselines and adhering to Cyber Essentials or Cyber Essentials Plus and for both of these there is some guidance you can follow with suggestions that help you improve your security posture. NCSC even provide some (old) JSON files for Windows Configuration for configuration profiles you can download and import to Intune to get you started. Great!

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 8 - Autopilot Devices

In this post we’ll look at pulling in details about Autopilot devices. Our list call from Managed Devices, covered in part 6, gives us a column to tell us whether that device is autopilot enrolled but what if we want more information than that? What if we want to know the group tag it uses or whether it has an autopilot profile assigned to it. Lets go get that!

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 7 - Managed Applications

In this post we’ll look at Applications within Intune. The Graph response for this will have some additions for applications at the bottom for cross referencing purposes so check those out too. Especially if you use PatchMyPC.

Lets get to it!

<ul>
<li> <a href="/articles/bp-1-pbi-intune/">Part 1 - Where to Start</a> </li>
<li> <a href="/articles/bp-2-pbi-intune/">Part 2 - Application Registration</a> </li>
<li> <a href="/articles/bp-3-pbi-intune/">Part 3 - Exploring Graph URLs</a> </li>
<li> <a href="/articles/bp-4-pbi-intune/">Part 4 - Get-BearerToken</a> </li>
<li> <a href="/articles/bp-5-pbi-intune/">Part 5 - Heavy Lifting</a> </li>
<li> <a href="/articles/bp-6-pbi-intune/">Part 6 - Managed Devices</a> </li>
<li> <a href="/articles/bp-7-pbi-intune/">Part 7 - Managed Applications</a> </li>
<li> <a href="/articles/bp-8-pbi-intune/">Part 8 - Autopilot Devices</a> </li>
<li> <a href="/articles/bp-9-pbi-intune/">Part 9 - Connectors and Tokens</a> </li>
</ul>

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 6 - Managed Devices

In this post we are finally going to look at getting some data into Power BI to play around with. We are going to use a query in Power BI to go and retrieve our managed devices information. Remember discussing pagination for APIs? Should you have more than 1000 devices we’re also going to need to consider Pagination but don’t worry there are three methods to do this discussed below.

<ul>
<li> <a href="/articles/bp-1-pbi-intune/">Part 1 - Where to Start</a> </li>
<li> <a href="/articles/bp-2-pbi-intune/">Part 2 - Application Registration</a> </li>
<li> <a href="/articles/bp-3-pbi-intune/">Part 3 - Exploring Graph URLs</a> </li>
<li> <a href="/articles/bp-4-pbi-intune/">Part 4 - Get-BearerToken</a> </li>
<li> <a href="/articles/bp-5-pbi-intune/">Part 5 - Heavy Lifting</a> </li>
<li> <a href="/articles/bp-6-pbi-intune/">Part 6 - Managed Devices</a> </li>
<li> <a href="/articles/bp-7-pbi-intune/">Part 7 - Managed Applications</a> </li>
<li> <a href="/articles/bp-8-pbi-intune/">Part 8 - Autopilot Devices</a> </li>
<li> <a href="/articles/bp-9-pbi-intune/">Part 9 - Connectors and Tokens</a> </li>
</ul>

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 5 - Heavy Lifting

In this post we’ll take a look at using Logic Apps and OData.Feed to do the ‘heavy lifting’ for us. By heavy lifting, essentially this is handling pagination of the Microsoft Graph Call. Using the app registration permissions for authorisation to the data, then processing the result in order to make sure we have all the data we need and finally passing the results back to Power BI so that its handled outside of Power BI. Power BI only cares about the data.

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 4 - Get-BearerToken

In the previous posts, we talked about obtaining an access token (bearer token) to access the data in our environments. We even looked at using our first POST query to post a request for a token in PostMan. The reason I’ve called this post ‘Get-BearerToken’ is because I’m going to explain how to use a combination of Power BI Variables and a function to leverage the Application Registration we have to get a bearer token within Power BI Desktop. We can then use that bearer token to authenticate against the Microsoft Graph and start to pull data into Power BI like we did in the PostMan application.. If you didn’t know, a Graph response will provide a maximum of 1000 replies and the rest of the replies will be split into chunks, known as pages. So page 1 contains responses 1-1000, page 2 1001-2000 and so on and so forth. If we don’t put this response into some sort of loop, to get extra responses we will only ever see part of our data. This is known as pagination. it is a consideration for the next few posts.

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 3 - Exploring Graph URLs

Next up, we’re going to explore the Graph and the URLs and permissions, in this post, continuing on from Part 1 and Part 2, our next step is begin to firstly understand our path to getting Intune Data into Power BI, which is going to be via direct Microsoft Graph calls - Remembering of course that the Intune Data warehouse did not meet our requirements. We are also going to leverage an application registration to access the data we want to see. This is gonna be a BIG post, so make sure you have plenty of time to read.

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 2 - Application Registration

Continuing from Part 1, our next step is to establish an application registration in Azure. This registration will enable us to utilise its permissions for accessing data on the Microsoft Graph and hopefully then, importing that data into Power BI. This setup is essential as it serves as a global prerequisite for accomplishing our ultimate objective.

Continue Reading
post-thumb

Intune and Power BI Deep Dive - Part 1 - Where to Start

In this series, I will guide you through the process of extracting data from Microsoft Graph, specifically Microsoft Intune, and integrating it into Power BI. We will explore different approaches, considering their advantages and disadvantages, in order to provide you with a solid foundation for creating your own reports within your specific environment. Its intent is to take you on a journey as I discover what to do, so please do take the time to read them in order to ensure you come along for the ride! I have invested significant time and effort into studying this subject and understanding the potential pitfalls associated with various approaches. Whilst undertaking this journey I also took and passed my PL-400 exam, an achievement I am very proud of. Throughout this series, we will cover the prerequisites, data ingestion methods, the approach I personally adopt, and I will share some of my queries. Additionally, I aim to demonstrate effective strategies for managing this integration. So… lets get to it.

Continue Reading
post-thumb

Setting a Group Tag During a Configuration Manager Task Sequence

In this post I’m going to talk about using the Windows autopilot deployment for existing devices Task sequence in configuration manager and modifying that task sequence to set a group tag during the process. You may know that traditionally this tasks sequence is used to ‘build’ devices and have them ready to start the autopilot process. I had a customer recently that had that very need. They had purchased a large number of machines that were delivered with Windows 10 installed and not Windows 11. As the customer was on their Windows 11 uplift journey already they were a bit disappointed to say the least and they opted to create a Configuration Manager task sequence to prep them for autopilot. That prep process was to include wiping the device and re-loading with Windows 11, adding the device to the tenants autopilot devices AND setting a group tag to drop the device into pre-created groups that control the apps and configurations the devices are going to receive during autopilot.

Continue Reading
post-thumb

How to build apps in Endpoint Manager

Hello everyone, I hope you are all safe and well.

I’ve been thinking about writing this for a while and I hope it helps some of you new to app packaging.

How do I build apps?

It never hurts to brush up if you’re a seasoned app-packager. App packaging isn’t going away any time soon, everyone needs apps. The Microsoft app store has gotten better but I don’t feel it’s quite there yet in terms of broadly available applications. Sometimes, companies can have line-of-business applications that they build in-house and as system administrators, you may be responsible for packaging and distributing those applications. How do you tackle it? where do you begin?

Continue Reading
post-thumb

Logon to Autopilot HAADJ Devices Using FortiClient VPN

I recently had a customer who uses FortiClient as their VPN solution, and they have recently embarked on setting up Hybrid AAD. We set their tenant up, sorted out licensing and I started to put in the fundamental elements to begin the journey to using Autopilot for provisioning devices. I had undertaken setting up AAD connect and using IDFix to remediate any issues, such as UPN suffixes for end-users via PowerShell, and we were ready to go. Equally, I had made them an Intune Win32app for FortiClient, and this installed and removed just fine using PSADT. I had already tested the Autopilot process and things were looking good.

Continue Reading
post-thumb

PowerShell App Deployment Toolkit and Intune Win32 Apps

Hi Folks!

Leading on from this post about getting started with PSADT, and as promised, I’m writing up my experience with it and creating Win32 Intune apps.

So firstly, I’m assuming by now that you read and absorbed the first write up I did, you should have noticed that a couple of things I did in that post can actually be done differently and be eager and armed with understanding the format and have a good idea about what to do. Combine that with great ‘google-fu’ and you’re ready to continue your decent app packaging journey.

Using this with ConfigMgr applications is quite simple because once you’ve prepared your application you use the root folder as the source content for the application and the rest is pretty straight forward (holler at me if you want that blogging too). Putting that into Intune however is slightly different. There are many blog posts about Intune Content Prep Tool however in a nut-shell, this tool will take your content (source) files for your application, and output a single .intunewin file which is the file format that Intune understands. So lets go ahead and download the tool from here and extract it to a local folder.

Continue Reading
post-thumb

PowerShell App Deployment Toolkit Write Up

Hi all, thought I’d write up what I’ve been working on recently, which is re-visiting PowerShell App Deployment Toolkit. A great Resource for ConfigMgr apps, but equally it is supported in Intune so I will be doing a follow-up post on using this with Intune. I know there are plenty of blogs out there on this so this is just my interpretation and is intended to get people started. I know, for example, that the kit comes with a wide variety cmdlets that you can utilise to achieve tasks but this write up is based around getting those a little familiar with PowerShell up to speed with it. There are many ways to skin a cat.

Continue Reading