How to Ship your Teams Company Background Images with Intune

In this Blogpost; I saw that Teams now supports Background Images to Blur your Teams Background with an Image;

With this news, my Friend  and I Just Started a Teams Call and had some fun in testing some Fun Background Images.

Then we started to Create some Images for the Company we are Working for. Of Corse we added some funny ones and others with the Corporate Logo. And then we came up to ship those Images to everyone’s Computer with Intune. Here is a Step by step Guide how to do it, if you like to have this nice new Teams feature Configured.


You should know that the Files will be stored in the Users appdata: %AppData%\Microsoft\Teams\Backgrounds\Uploads

The User must First choose the MS Backgrounds in Teams, before this Folders will be created in Teams, but you can create it by your self to use it.

There is another limitation, if you use JPG, those must be in a special Format, the dame size and max. 1 MB as the Backgrounds Templates from MS. If you use PNG, those are without any limitation as I tested so far.

At the moment this is a “Hack” MS Teams will add some user friendly add my own Background in a Later Version of Teams:
I have no Idea this will be run in the Future, so no guarantee, and test it first in Lab, bevor Production and maybe you need some changes on the PowerShell scripts I created

I have tested this with Windows Insider Build 19608 / Win10 1909 and Teams Version (64-bit). It was last updated on 4/11/20.

Step by Step:

  1. Create your Images and place them in a Folder:
  1. Download the latest Win32 Content Prep Tool
  2. Create a Powershell script for the Copy job (copyTeamsBG.ps1)
  3. Create a Powershell Script for deleting the Files (copyTeamsBGuninstall.ps1)
  4. Place the Scripts in the Same Folder as your Pictures
  5. Create a detection Script for Intune (detectionScript.ps1) and grab or create an Icon Image
  6. Run the Intune Content prep tool to create the Intunewin File:IntuneWinAppUtil.exe -c C:\intune\bv-teams -s C:\intune\bv-teams\copyTeamsBackground.ps1 -o C:\intune\bv-teams\TeamsBackgroundImg -q
  1. Open Login and add an App:

Select your Intunewin File

Next and add your Commands to Run the PowerShell script for the copy and the uninstall

powershell.exe -executionpolicy bypass -file “.\copyTeamsBG.ps1”
powershell.exe -executionpolicy bypass -file “.\copyTeamsBGuninstall.ps1” Select the Install behavior = User

Select the Requirements Options you like

Use the Detections Script to check the Images on the right place for Teams

Review & Create the Package

  1. Create an AAD Group to test the Package you just created
  2. Have a Look at your Computer:
    1. Logs-Folder:  C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
    1. Log: IntuneManagementExtension.log
  1. Check the Endpoint Portal for Success

Use Teams with your Company Branded Background Images and have fun…


Manage Android-“Corporate device identifiers” in Intune without rename it, but add it to an AAD-Group

This Post is waiting for a while until now, when I finally found time to publish it. We will fill the Gap when you add your Company Devices (Tablets) with a csv-File in your Intune Tenant as “Corporate device Identifiers”.

Some companies only allow, company added devices to the Intune Tenant, so a user can’t enroll his private device. In Intune you can disable regular Device Enrollment from users! If you pre-Import the CSV with the Identifiers (Serial or IMEI), you and the users will only be allowed to enroll those devices as Corporate Owned Devices.

If you like to manage those devices in Azure AD with dynamic Groups, it can be difficult because not all attributes are synced from Intune to Azure AD. There is also the problem that you can’t rename the devices in Intune.

In this example scenario, I have a lot of Android Tablets to use as Kiosk Devices with multi app installation. To configure the Kiosk Profile, create Configuration Profiles and assigne some apps is not part of this Blogpost. But anyways, you can find the steps below so you can do it if you like:

  1. Create a “Corporate-owned dedicated devices” profile with a QR-code
  2. Create some “Device compliance – Policies”
  3. And also some “Device configuration – Profiles”
  4. Assign some Applications
  5. Maybe create a AAD-Group to assign all the above to specific Group
    1. Here we come to the point, when you like to use Dynamic Groups with the name tag of the device, that you import with the CSV-File, you have no name on that device! How to handle this, will be explained in this post.

With a Script, I and some Co-Worker (thank you; Athiraiyan Kugaseelan @AKugaseelan, Daniel Schaedler @SchaedlerDaniel) created, you can now fill this gap, since the naming of the device is not the same as you try to import with the CSV-File (in the CSV File you only have the chance to a separate column and give the device a name). However, this attribute is not synced automatically synched to AzureAD.

Here is how it works and what it does:

  1. Import a list of Devices as “Corporate-owned dedicated devices” with a CSV-File
  2. Enroll the Device
  3. Create an AAD Group and add the Device
  4. The script to put all together

1. Import a list of Devices as “Corporate-owned dedicated devices” with a CSV-File

In the Intune Blade to add “Corporate device identifiers” you have to add your devices from a list you create as a CSV File. You can add the devices by serial number or IMEI.
For Tablets, I prefer the serial number and for phones of course IMEI.

The following steps show you how to go on with the serial number:
First of all, we create an enrollment restriction for the users, which does not allow to enroll Android and Android for Kiosk Devices and assign it to all users or to a specific group of users.

Then we import the CSV File with the format of csv:

My example-CSV myExample.csv contains the number (serial or IMEI) and the device details:

In the upload CSV file we can choose to upload the number as serial or IMEI:

Note: In case you are to lazy to use CSV, you can use PowerShell as well 😉
Now you can see your imported devices after clicking on the refresh button in your blade:

In the details column you can see your added name for the device, that name you would like to use in Azure AD with dynamic groups!
Here are the MS-Docs:

2. Enroll the Device

Now you can enroll the devices with a user called: afw#setup, that brings up the camera and let you scan the QR-Code from your Kiosk-Device Profile. As soon as the devices are enrolled, they are not really visible in AzureAD. Go to Intune -> Devices -> all Devices. The devices will show up with a wired name:

Unfortunately, you are not able to rename the device in the properties 🙁

However, the devices should be set as Corporate Owned Device. And you are able to see the serial number of the device. (the same as you have from the CSV-File). This is what we need, a matching number from the AAD-Device and Intune-Device!
The only match you can find on both sides, is the serial number:

Now, I would like to have the same name in the Intune/AzureAD as I uploaded in my CSV (as the details attribute). By design, it is not possible to rename the device, but there is another attribute, called “Management name”.

We came up with the script to read the serial number in the” Corporate device identifiers”-list and to look in the AAD for a device with the same serial number, to catch the details “name” and add the Management name of the AAD Object.

3. Create an AAD Group and add the Device

Afterwards, we have to create an Assigned AAD-Group, because the Management Name is not an attribute to use for dynamic groups, (this attribute is not synced from Intune to AAD).

We have to create the group with a script or manually before we add the device to the group. There we can also assign some apps/profiles or policies…

If you use RBAC, you can also add the scope tag to this group, and every client adds that tag.

4. The Script to put all together

If you like to use this script, just download it and add your name an crypted-password next to line 500. This is a function so script can be run automated in Azure Automation or in a scheduled task on a server, that the devices get as fast as possible the real name we like to have.

How to create the Password crypted?
(get-credential).password | ConvertFrom-SecureString | set-content “C:\source\password.txt”

How to Encrypt Passwords in PowerShell

Just open the password.txt and copy the string.
Be carefully, if you use the script in a scheduled task on a server, the PoSh command to create the password has to be run on that Server 😉

The script will load this modules:
Install-Module -Name Microsoft.Graph.Intune
– Find the Device
– Get the Serial number
– Get the Device ID
– Add the Device to the AAD Group
– Add the Management Name to the Device

There is a little gap in the Intune SDK Module and what we have to use to add the device to the Azrue AD Group, for this case we added some separate functions.
List of variables that you have to change:

  • $LogFilePathFolder     = “C:\Source”
  • $adminUPN= “”
  • $passWd= “***********”
  • $AADGroup = “Android-Classroom1”

Click on the link below to get the script:
Here is the detailed description for the script:

# Login with the Script to your Tenant
$adminPwd= ConvertTo-SecureString -String $passWd -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($AdminUPN, $adminPwd)
Write-Log "Establishing connection"
$connection = Connect-MSGraph -PSCredential $creds
$global:authToken = Get-AuthToken -User $adminUPN
Write-Log "Getting all corporate identifiers"
#getting corp identifiers
$corpDevices = Get-CorporateDeviceIdentifiers
Write-Log "Getting all enrolled devices"
#getting enrolled devices
$enrolledDevices = Get-IntuneManagedDevice
# create the AAD Group for Assigenment, if it's not exists
$AADGroup = "Android-Classroom1"
$GroupId = (Get-AADDeviceGroup -GroupName $AADGroup).id
    if($GroupId -eq $null -or $GroupId -eq ""){
        $newGroup = New-AADGroup -displayName $AADGroup -securityEnabled:$true -mailEnabled:$false -mailNickname $AADGroup
        $GroupId = $
        #Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
# loop every device that is in Corp-identifyers and new enrolled in Intune
foreach($corpDevice in $corpDevices)
# go for the Serial number
    if($corpDevice.importedDeviceIdentityType -eq "serialNumber")
        if($enrolledDevices.serialNumber -contains $corpDevice.importedDeviceIdentifier)
            $deviceToUpdate = Get-IntuneManagedDevice -Filter "SerialNumber eq '$($corpDevice.importedDeviceIdentifier)'"
            if($deviceToUpdate -ne $NULL)
                Write-Log "Modifying device with serialnumber '$($corpDevice.importedDeviceIdentifier)'"
# change the Management name Attribute
                Update-DeviceManagement_ManagedDevices -managedDeviceId $ -managedDeviceName $corpDevice.description
#get the right aad-group id and add the device to the aad-group
                $AADDevice = Get-AADDeviceDevice -DeviceID $
                Add-AADDeviceGroupMember -GroupId $GroupId -AADMemberID $
    if($corpDevice.importedDeviceIdentityType -eq "imei")
    # go for the IMEl number
        $enrolledDevices.imei -contains $corpDevice.importedDeviceIdentifier
        $deviceToUpdate = Get-IntuneManagedDevice -Filter "imei eq '$($corpDevice.importedDeviceIdentifier)'"
        if($deviceToUpdate -ne $NULL)
                Write-Log "Modifying device with serialnumber '$($corpDevice.importedDeviceIdentifier)'"
# change the Management name Attribute
                Update-DeviceManagement_ManagedDevices -managedDeviceId $ -managedDeviceName $corpDevice.description
#get the right aad-group id and add the device to the aad-group
                $AADDevice = Get-AADDeviceDevice -DeviceID $
                Add-AADDeviceGroupMember -GroupId $GroupId -AADMemberID $

More Infomation:

As a fact, this works as well without renaming the Android Device Name. Therefore, you can easily use this:

Please test this before you run it in production. You should be careful since this script creates aad-groups and changes device attributes.

I hope this helps and saves you some time to have a beer….


Android OEM Config with Intune step by step

Microsoft announces that Android OEM Config is now supported in Intune, to manage Samsung Knox and Zebra Devices.

How can we get the extension and use it:

Go to your Tenant, add the Managed Google Play Store for Android:

Add and app from the Managed google Play Store

Have a look for those apps:

EM Bundle ID OEM Documentation (if available)
Samsung Knox Service Plugin Admin Guide
Zebra Technologies com.zebra.oemconfig.common Zebra OEMConfig overview

Add the APP to your Client apps – Apps

Go to Device Configuration – Profiles and Create a New Profile:

Select the App and start configuring the Settings:

Now you have all the Settings to configure, only the settings that the OEM has configured in his JSON.

If you can’t find any settings, go to the OEM’s website for the settings, and you can add those missing settings, if needed and if it’s possible, to the JSON file by your self.

More info’s:

I hope this helps and saves you some time to have a beer….


Implement Intune RBAC (Role-based access control)

Here we go for another Post!

This time, I tied to implement RBAC as a test and for a customer. It was quite hard to get the logic out of it and to figure out how it works in the backend. In the end, I got a piece of advice from a genius (thank you David Falkus for your support) and after a short discussion, it made sense to me.

After searching on the internet, I found some docs from Microsoft. Unfortunately, there are not easy to understand, to make side notes or draw something. The document can be found here:

Therefore, I started my own logic draw and I would say it explains the topic in an easier way and I hope, it helps you to understand RBAC 😉 



As you can see on the picture above, there are different parties involved:

  • Member Group
  • Role
  • Scope Tag
  • Scope Group

First, the whole configuration has to be configured with a role as a basis. Afterwards, it needs an assignment to add Tag, Member Group and Scope Group. You are able to use one role with the permission for multiple assignments for several use cases with the same rights.

Important: This is my own translation for the different parts in RBAC!

Scope Tags

Tags are used to tag for example objects in Intune. These objects can be devices, policies, profiles and so on. If you have a group of device objects, you have to tag them separately. Unfortunately, there is no possibility of tagging a whole bunch of clients at the same time. In this case it is easier to use a script and do it with Graph API:

Scope Group

Scope Group means that there are some users or devices to manage such as a limited group of objects like devices (iOS, Android or Windows) or only part of them such as all iOS from Marketing, etc.

Member Group

Member are one or a group of people who have to manage the objects in the Scope Group.


Roles have different kinds of permissions. A role can have only “Read” rights on specific objects or “Write” or “Create” rights. We can for example grant access to create a new configuration profile or only change a Config profile with reading and writing access. A role can be used multiple times.


The Assignment contains Tags, Groups and Group Members. They are assigned to a role, which is able to only one or even multiple assignments.   

How to Create the Parts

Scope Tags

Scope Tags in Intune

Scope Group

Create a simple AAD Group (dynamic or static) with the objects you would like to manage.

Member Group

Create a simple AAD Group (dynamic or static) with the users, who have to manage the objects from the scope group.


Create permissions.

RBAC Role Permissions
RBAC role permissions


Add the member group to the assignment:

RBAC Role assigenment member

Add the Scope Group to the assignment:

RBAC Role assigenment scope

Add the Scope Tag to the assignment:

RBAC Role assigenment tag

One last Thing:

Add a tag to a device:

RBAC tag device

And this is it! Please be careful and test it only with a test user since you can exclude your own account from some config.  I recommend using a global admin to create the whole RBAC. And avoid using a global admin in a member group. As well to point out: Never use all User & all Device for the Scope Group!

I hope this helps and saves you some time to have a beer….


Simple Creation of a WDATP/MDATP PowerBI Dashboard

Hi all,

In this blog post, I will show you how simple you can create a Power BI Dashboard from your Microsoft Defender Advanced Thread Protection Data.

There is also a very good documentation from Microsoft: for the first part.

Just to be Clear, Windows Defender ATP is now –> Microsoft Defender ATP 🙂

However, the second part is different to the Microsoft documentation.

Part 1

As a first step, log on to the Security Center:

After clicking on the settings-symbol, choose the option “Power BI reports” and click on the “Create Dashboard”-button.

This button will open a new tab in your browser and shows the Power BI online Service Website.

Log in with the same account as you logged-in to the Security Center:

Additional information:
If it is your first log-on, you need to answer some questions and specify some details about the authentication method (use OAuth2). You need as well to accept the access rights.

Choose “Windows Defender Advanced Threat Protection” in the category “My apps”.

 This will open and show you a per-provisioned dashboard.

In case you would like to see a report or create your own dashboard or report, follow the instructions provided below:

Stay on the current dashboard and select the hamburger-button in the top right corner:

This will show you a dashboard, a report and also the connector (datasets) information:

Open the report and have a look at the data shown in this report. In the footer, you have also some register tabs to split the information in different sections:

Would you like to save the report or dashboard on your own workspace? This is difficult, but you have the option to share the dashboard / report and use it from there.

If you would like to build your very own reports, use the connector from the security center “Build custom dashboards”.

This dashboard provides you only with a preview and shows only data from the last 30 days.

Part 2

To understand how the connector works, read the instructions below. Please note that the docs page is no longer matching the today’s Power Bi Desktop:

Download and Install Power BI for Desktop

Start using ATP data with Power BI:

  • Open the Power BI Desktop application after the installation has finished
  • As a first step, use the same credentials as in first part to log in (This is to connect your Power BI online sources) 
  • Select “Get data”
  • Choose “More…”
  • By typing the word “Graph“ the option “Microsoft Graph Security (Beta)” appears.
  • Select “Microsoft Graph Security (Beta)” and connect.
  • Select “continue” on the preview connector wizard
  • In the next wizard, select the version of graph (1.0) in the version 1 of graph are elements and paths which are no more changing. If you like to play with some options coming, choose “Beta”. But be carefully, these settings can change daily.
  • The log-on-mask to login to graph will appear. Since the information you connect is sensitive, you have to use an account with admin rights in the WADATP Security Center (or in minimum read rights).
  • Afterwards, the “Navigator” wizard pops up and you have to select all “Display Options”
  • As soon as the data is loaded, some information to select will appear.
  • This looks like:

In my opinion, this information is not very helpful since it is mainly used to control and remediate alerts.

If you connect to the Power BI online services, you can connect to the data from the first part in this blog:

To use the data from Power BI, open Power BI Desktop:

  • Open the Power BI Desktop application after the installation. Use again the credentials as in first part to log in (This is to connect your Power BI online sources) 
  • Select “Get data”
  • Choose “Power BI Datasets”
  • As a next step, select “My workspace”
  • Select “Windows Defender Advanced Threat Protection” and click “Load”
  • Two new tables will appear:
  • This enables you to easily create your own report:


Here are my two templates for your report, hope it helps:

Have FUN creating your own reports! I hope this helps and saves you time which can be used for drinking a beer 😉


New Course is ready, MMD from 0 to Production in 5-Days

Modern Managed Devices from zero to production 


Mobile devices can be found everywhere in today’s world. They should be managed in an enterprise environment like any other computer. 

In this training you will learn how to manage devices from the cloud with Microsoft Intune. 

Devices in today’s world can work from anywhere and whenever users want. This shift changes security requirements and the way these devices are managed. Therefore, you need to learn how to manage these types of devices. Learn how you can handle end users to make your life better, instead of completing a device and solving all the problems outside your organization.  

Learn to identify business cases, to generate use cases and to provide the right workload with the right technology to the modern workers. This course focuses on managing and securing devices with Microsoft EM&S Suite. The expert and double MVP Mirko Colemberg has developed this five-day practical laboratory based on practical experience. 

Practical Labs:
50 percent of the time is devoted to practical labs and exercises. Another 20 percent are used for use case and workload concepts with appropriate methods for working in production environments. 

Key Learnings:
Creation and implementation of all required settings for using Azure AD and EM&S by yourself and from scratch.  
Transition from business cases to use cases and embedding workloads into the appropriate technology.  
Implementation of the appropriate technology with all the settings needed to get workloads done. 
Getting to know all the different settings that help to implement a working environment based on concrete cases from a company:  

  • Get Azure AD running 
  • Application Management 
  • Modern OSD  
  • Best Practices for the Security Basis 
  • Analytics 
  • Troubleshooting 

Target audience:
This course is aimed at IT Professionals who need a deeper understanding of the modern workplace with Windows and Azure Services and want to expand their knowledge. This course also provides background information on business / use cases to take the right actions to implement the right opportunities for the right workload. 


  • Basic knowledge how network and internet works
  • Knowledge about processes with business and use cases
  • Powershell basic
  • Read about: OMA-URI (CSP) and Graph/AIP

300 Advanced 

Material Goodies:

  • Lab manual (online on Azure AD)  
  • Slide decks (PDFs), Lab documents  
  • A Surface-Go-device  
  • Access to a Teams-group on a private channel for all participants: 
    • to share your experiences
    • chat 
    • wiki
    • script sharing
    • from time to time an online meeting for important updates

Days: 5

German and English

At the moment, this course in available at Digicomp in Zurich, Switzerland. Handouts are in English, but the course will be held in German:  

Manage Devices with all the tools of Microsoft Azure 

Kurs: Modern Managed Devices from Zero to Production («MMDZP») 
Mobile Geräte sind in der heutigen Welt überall zu finden. Sie sollten in einer Unternehmensumgebung wie jeder andere Computer verwaltet werden.

If you like to organize a class near you, just ask me i can deliver this Course in English all over the Planet.


Sennheiser Device testing 😊

Hi all

This time, I’m at the MCT Global Summit in Germany (Cologne) and it is the first time I’m writing a blog post about a product. This means, everything I’m writing is my personal opinion and can differentiate to your opinion about those devices.

I got the chance from the sponsor “Sennheiser” to test every day another headset while having also some Skype meetings during the week. I promised to test the devices and write a report about them. To be honest, for the past years I’ve been using my Bose in-ear noise-cancelling headphones almost every day and I am more than happy with them. But since I am an open-minded person, I like it to try and test other things. And the best is, I didn’t have to buy them to test new devices.

    1. Headphone: Sennheiser SC 6×5 USB

Bildergebnis für Sennheiser SC 6x5 USB

Sound quality:

The quality of the sound is different. In a call, unwanted noises for the people who are talking and also background noises from the other attendees are filtered. Additionally, there is also a difference when you listen to music. These speakers are suitable for business and private.


The Headset has an S4B extender, with which you can answer a call, hang up and also adjust the volume + / -.


This headset has a very long cable. Especially when you pack the headset into your backpack, it can result in a mess. The reason for this long cable is that the headphone was originally planned to be used with a desktop tower where you must plug in the headphone to an USB port in the back of the tower. In my opinion, a modern workstation has mostly an USB port in front of the computer. So there is only limited need for such a long cable.


If you are looking for a device to use permanently on the workstation at your office, this headset meets your needs. I used a Jabbra headset at home for a long time and for many meetings. After testing this device and only taking the call and sound quality into consideration, I would definitively prefer the Sennheiser one. Since I always hated to deal with a mess of cable, I personally would buy the wireless version which is as well available in this series. Its token has a range of 100 meters.

    1. Headphone: Sennheiser MB660 uc ms

Bildergebnis für MB660 uc ms

Sound quality:

The quality of sound is just amazing and also the call quality is on another level than I have ever heard before. This device has a noise-cancelling-function; as soon as you enable it, there is no more surround sound or click to hear – totally different to what I am used to from my Bose in-ear noise-cancelling headphones which I have been using for years. If you put the Bose in-ear noise-cancelling headphones and start the noise-cancelling-function, you still hear clicks and it also feels like a vacuum in your head. But with the MB660 it is completely different: It just starts and the noises around you just go away as if by magic.


The over-the-ear headset comes with a nice box to store anything in it. Furthermore, it has a jack cable and also a USB dongle for Bluetooth connection in case your device has no BT. I had also a talk with the seller at the booth about this dongle, especially why we need that since nowadays every tablet or notebook has already BT. He explained me that the transport of the voice from the headphone to the computer is crypted with this BT connect and it is not possible to overtake and listen to the conversation. This means that you can use regular BT for listening to music and for business calls you can use the connect with the dongle.


There is also no handling needed with cables since it is wireless. On the side of the right ear shell you have touch to volume up and down and on the left ear shell you can change the sound optimization for call, disco, cinema and so on. You get also a 2mono jack connector to stereo, as we all know from the airplanes.

Bildergebnis für airplane double stereo adapter


In a nutshell, if you travel sometimes by plane and also want to use the headset for working or maybe traveling by train and also want to use it for fun in your private vacation time, this is one of my favorites since it really is an all-in set.

Maybe I can test some other device from Sennheiser in the future and post some information about them. I really like what they produce!


Onboarding Clients to WDATP with Intune

Hi all,

I had a Theater Session at Ignite 2018 about how to onboard Clients and Servers to WDATP (Windows Defender Advanced Thread Protection). During this session, I asked the audience if they want to have a 20-minute demo session or just have a look at the slides. The choice was clear: Everyone voted for the demo session.

Personally, I like to have sessions which are fully packed with demos. In these sessions you learn the most, but in this case the story for a session gets lost and also the jokes during the session are difficult to made.

If you would like to watch the session first, here we go:

How to onboard your clients to Windows Defender Advanced Threat Protection  – THR3088


Please consider, that there are some changes for onboarding (around minute 9:00) since it is the explanation about onboarding with Intune. Especially in minute 11:30, the explanation is for the new material that I will write down here.

In the Intune Version for Microsoft Intune – Week of October 1, 2018:

Have a look at

Here we have some new information in Intune:

Log in to your Intune Tenant over the and click on Intune / Device compliance / Windows Defender ATP.

As you saw in the session, you have to connect your Intune to the Security Center first and afterwards you can see the connection status “Available”. When you are connected, you can also see the doughnut chart which informs you about devices without ATP agent.

Home > Microsoft Intune > Device compliance - Windows Defender ATP Microsoft Intune O Overview Quick start Manage x Device compliance - Windows Defender ATP Delete O Overview Manage Policies Notifications Locations Monitor Device compliance Devices without compliance PO... Setting compliance Policy compliance Audit logs Windows health attestation rep... Threat agent status Compliance policy settings Windows Defender ATP Mobile Threat Defense Partner device management Help and support Help and support R save X Discard Connection status O Available Last synchronized 10/6/2018, 10:30:52 AM u Device enrollment Device compliance Device configuration Devices Client apps eBooks Conditional access On-premises access Users Groups Roles Software updates Help and support u Help and support Troubleshoot Connect Windows devices version 10.015063 and above to Windows Defender ATP O Block unsupported OS versions O Number of days until partner is unresponsive O Open the Windows Defender ATP admin console Create a trial acccnJnt for Windows Defender ATP Windows 10 devices need to be configured with Windows Defender ATP to obtain their health state. Create a device configuration profile to configure ATP agent List of devices without ATP agent Windows Defender Advanced Threat Protection wdh ATP nent ATP

When you click on the link “Create a device configuration profile to configure the ATP Agent” below the doughnut chart, you will be routed directly to the Intune / Device configuration / Profiles where you can perform the following steps:

    1. Create a new profile
    2. Chose a name
    3. Select the platform “Windows10 and later”
    4. Select the profile type “Windows Def ATP”
    5. Select “Configure”

Create profile * Name New Onboarding to ATP Description Platform Windows 10 and later * Profile type Windows Defender ATP (Windows 10 Des... v Settings Configure Scope (Tags) O scope(s) selected x Windows Advanced Threat Protection Windows 10 and Later Sample sharing for all files O Expedite telemetry reporting frequency O x Enable Enable Not configured Not configured

As you can see, you don’t have to upload the Intune Onboarding script anymore since the only two options are “Sample sharing for all files” and “Expedite telemetry reporting frequency”. Just enable both and that’s it.

To onboard every client to your environment, you just have to assign the profile to a device group or all device groups.

If you now have a look at your old created profile with the onboarding file, you can still see there the file you uploaded, but there is no more a need to use it. In case you have the new profile assigned to all your devices, you can easily delete the old profile.

Machine generated alternative text: 1 ATP OnBoarding - Properties Device configuration profile p Search (Ctrl +/,I o Overview Manage Properties Assignments Monitor Device status User status Per-setting status x Save X Discard 1 ATP OnBoarding Description Enter a description.. * Platform Windows 10 and later * Profile type Windows Defender ATP (Windows 10 Des... v Settings 3 configured Scope (Tags) 0 scope(s) selected Windows Advanced Threat Protection Windows 10 and later Windows Defender ATP client configuration package type O Onboard ing O Onboard Configurati Upload a signed con client Sele a file c ge: 'nows en er .on ur t' n Remove ard the Windows Defender ATP Sample sharing for all files O Expedite telemetry reporting frequency O Enable Enable Not configured Not configured

It is now very easy, right?

But please test it out, so it is really running in your production, before you delete the old profile.

Hope it helps and saves you some time to have a beer….


Community HUB in Technical Preview

In Config Manager TP1809/1810 is new a Community Hub. The implementation of this means that the community members have the possibility to share Powershell Scripts with each other.

There will be coming more in the future such as CI’s and Reports that you can upload and share with others. It’s pretty cool, that you can share stuff in SCCM directly.

By the way, this BlogPost is written with the CB TP1810 Version; in the final Version may be some differences.


Right now, Microsoft only supporting authentication of users that are in the MSFT AAD tenant. So, all the MVP’s and any Microsoft field employees only, can upload scripts!

Here I like to start showing you the new Feature to help sharing to the Community. (wait for the final version)

You can have a look into your existing script library, add a new Script or make sure you have approved an script in the library:

Software Library Library Overview Application Management Software Updates Operating Systems Windows I O Servicing Microsoft 365 Servicing Office 365 Client Management Ssri*s: * What's New Assets and Compliance Software Library Monitoring Community Cherview Scripts Scripts 3 items Start Mode WinRM Get OS Version Check Notepad shorcut on DT Version Author LAB\administrm Si-HOng Lamm LAB\administrm Type PowerS Approval State Waiting for Approver LABIadministrator LAB\administrator Approver Commer

As a second step you can click on the Community Workspace and select “Hub”:

Hub Home 2 Results My Hub Sign in mentation Feedback * What's New Assets and Compliance Software Library v. Administration Community Get OS Version Sindhuri Yamala This is a sample public script. Start Mode WinRM Mirko Colemberg Check the Service McKie for W,nRM

Here you can see the scripts which are already published by other community members.

(By the way you can see that I was the first who submitted a script :-))

Next step is to log in with your AAD or MSFT (later one also Live-ID) account by clicking the “sign in” button in the upper right corner. A similar window pops up because, to log you in to an Azure-Portal.

Sign in Start Mode WinRM M irko Colemberg Check the Setvice Mode for w,nRM

Microsoft Anmelden E-Mail, Telefon oder Skype Sie können nicht auf Ihr Konto zugreifen? Zurück Weiter

As a next step, you can upload your approved script from your library by selecting “My Hub” and then choosing “Add an item”.

Mirko Colemberg My Hub Home Add an item

A new window will pop up where you can select the approved script from your SCCM repository.

Tip: At the moment, you can only select “Scripts”, but in the future there are coming more options such as CI’s and also reports.

dd an item Type: Scri Name: Description: Keep It Private Add u othewise mned wit* and in and (2) that t. t. rowse Cancel

Use the “Browse”-Button to find the script you like to share. Therefore, a new window will pop up:

Select script Please select a script to contribute Name Start Mode WinRM Check Notepad shorcut on DT x OK Cancel

It’s important to know that you will only see approved scripts!

Select the script you would like to upload and click “OK”. You will be redirected to the previous windows. Enter a name for the script and don’t forget to fill in a description. Otherwise the upload will fail.

dd an item Type: Description: Scri t v Browse This Scrit is to check a Shortcut on the Clients desktop] C] Keep It Private dd U m*k.d a ÉmÜ; and C2J represent that to •e t. Cancel

If you select the option “Keep It Private”, it will only show up in your console. You have to login first with your account, then in the “Home” tab with all the other scripts or if you select “My Hub” you can see only your scripts.

“Keep It Private” means, you are the only one, that can see your script, but you have to login first:

Open the Console and go to Community / Hub

Without login it looks like this (you can only see all the Public scripts):

Home 2 Results My Hub Sign in Get OS Version Sindhun Yamala This is a sample public script 10 Start Mode WinRM Mirko Colemberg Check the Ser.'ice Mode for WinRM

Login and select “My Hub”:

Home Add an item My Hub Mirko Colemberg Check Notepad shom M.rko Colemberg

And with the Login on the “Home” tab you can see all scripts (public and yours):

Home 3 Results My Hub Get OS Version Sindhuri Yamala This is a sample public script 10 Start Mode WinRM Mirko Colemberg Check the Service Mode for o Mirko Colemberg Check Notepad Mir-ko Colemberg

After this little explanation we go back to the next step…

Now you can select the script that you like:

Check Notepad shorcut on DT Mirko Colemberg I Downloads O | (0) Download Overview A Ratings & Reviews Check Notepad shorcut on DT test Type: Script Created by: Mirko Colem berg Created on: 10/04/2018 Changed Date: 10/04/2018 Downloaded: O Rating: 5.00 (O)

(the “Q & A” and the “Ratings & Reviews” are in “coming soon” status)

When you select “Download” the script will show up in your script repository.

Check Notepad shorcut on DT Mirko Colemberg I Downloads O | (O) Download Download Success!! x

In the end you can go back to the Software Library and check if the script is there:

Overview Application Management Software U pdates Operating Systems Windows I O Servicing Microsoft 365 Servicing Office 365 Client Management Scripts Scripts 4 items Start Mode WinRM Check Notepad shorcuton Get OS Version Check Notepad shorcut on DT Version Author LABNadministrator LAB\AdministratOr Si-Hong Lam LAB\administrator Type PowerS... PowerS„ . Approval State Approved Waiting for approval Waiting for apprcw•al Apprcwed Approver LAB\administrator LABS,administrator Approver Comment Last update Time 2509.2018 15:33 05.10.2018 09:01 31072018 2101 1709.20180840

Check the name, the approval state (“Waiting for Approval”) and have also a look on the date. The account is all the time the one you used to log in to the console.

As a last step approve the script and use it.

Hope this helps to save some time which you can use for other task or to enjoy a beer

Normally I write test it first, but this Feature is still in TP, that means it’s only for testing. :



How to remove Apps from the Microsoft Store for Business

Since the Store for Business is in Place i use it often, but there is one thing i really don’t like in the Store for Business, you can add as many Apps (free and Buy) as you like to your Private Store that you can Use for your Employees. But to remove any of that Apps to delete from the Private Store is not really implemented with a simple “remove” button in the Private Store.

But wait, there is a Way to remove that Apps from your Private Store to keep them clean and only Manage the Apps that you really need, and not Managing Apps that you added by the wrong selection.

Here is how we remove app from the Private Store in the Microsoft Store for Business;

  1. Login to the with your global admin Credentials
  2. Go to manage -> Products & services and have a look for your App you like to remove
  3. Select the App and:

a. Have a look on the User Assignment, this should be empty, otherwise you have to delete the assignment [MVP] Manage CamCard cc Free • Online • Licenses Find a solution provider Product Details Unlimited licenses O used Private Store Collections Users Assign to Users Search user by name or email Name No licenses have been assigned for this app.

b. Also have a look that the App is no more in any Private Store Collections

Private Store Collections Users + Add collection Name gmbh test In collection Not in collection Not in collection

4. Next Step would be; go to Order History and find your App

5. Select the Order Link on the App

6. Now you can see the App Details and in the Actions column select Refund

Order details Order date 12/16/15 Total items (1) Item CamCard cc . Online Order # cabb43b1-f480-45dO-9548-b751f39f3fa3 Sold to MVP Status Complete Publisher IntSig International Holding Limited Purchased by Mirko Colemberg Quantity Unlimited Total CHFO.OO Refund Actions

7. This will show you a pop up message where you can “refund” the App

Refund order All licenses for this order will be removed from inventory Cancel Refund Refund This order has been refunded OK

8. After that the status of the Order Details changes to:

Order # df583b22-367f-42a3-8aaf-ea8744532e6b Status Refunded Purchased by Mirko Colemberg

9. Finally your App is gone from the Private Store [MVP] Manage Find a solution provider Manage / Products & services / Apps & software Products & services Apps & software Volume licensing Benefits New LOB Apps camcard 88 Card view Name 'TX No results found. Refine results: Product type: All v Application type: All Available quantity Subscription type:

Happy testing, be carefully, sometimes a “delete” (Refund) Job takes over night to delete that App from your Store, there is no need to refund it again and again, just wait 24h. 🙂

Hope it helps to cleanup your Private Store, have fun and enjoy a Beer


Get every new post delivered to your Inbox

Join other followers:

Skip to toolbar