Deploying Apps using Microsoft Intune - Part 2 - Windows EXE files

Windows EXE files can be deployed via Intune to install on school devices. There are no set rules on switches etc when deploying applications via EXE and may take some trial and error to perform this. Sometimes you maybe able to find guidelines on the internet or through the publisher of the software. I would always recommend testing and checking a publishers website before deploying to all devices in the school.

For more information on Windows Store App deployment please visit: https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add

GitHub link for the IntuneWinAppUtil.exe: https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool


Deploying Apps using Microsoft Intune - Part 3 - Windows MSI files

Windows MSI files can be deployed via Intune to install on school devices. There are no set rules on switches etc when deploying applications via MSI and may take some trial and error to perform this. Sometimes you maybe able to find guidelines on the internet or through the publisher of the software. I would always recommend testing and checking a publishers website before deploying to all devices in the school.


Deploying Apps using Microsoft Intune - Part 1 - Windows Store Apps

Microsoft Windows Store apps can be deployed through Intune either automatically or by placing them into the Company Portal for staff to install themselves.

Windows Store Apps are a great option when looking to install applications to devices. They are generally updated automatically on a regular basis mean very low maintenance for IT administrators.

For more information on Windows Store App deployment please visit: https://learn.microsoft.com/en-us/mem/intune/apps/store-apps-microsoft

Microsoft Intune Interface Guide - Part 3 - Accessing Local Admin password on tenants with LAPS enabled

Sometimes local admin accounts are required to support users or access devices, to enable a secure local admin experience on new devices, or devices not running with our image we have started to roll out Microsoft LAPs (Local Administrators Password Solution) in Intune environments.

Microsoft say: “Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices.


Microsoft Intune Interface Guide - Part 2 - Device Wiping Options

Device wiping/reconfiguration options are available within Intune. This means rebuilds maybe completed without the need for the device to be returned to the school or IT office and could be repaired/reset on location.

There are several options available which we will cover below in the video and documentation.

Device Wipe Options:

  • Retire: This action remove managed app data (where applicable), settings and email profiles that were assigned by using Intune. The device is removed from Intune management. The device will remain in Intune until it next reports in.
  • Wipe: This action restores a device to its factory default settings. The user data is kept if you choose the Retain enrolment state and user account checkbox. Otherwise, all data, apps and settings are removed.
  • Fresh Start: This option removes any apps that are installed on a PC running Windows 10, version 1709 or later and Windows 11. Fresh start helps remove pre-installed (OEM) apps that are typically installed with a new PC.
  • Autopilot Reset: This option takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply. Specifically, Windows Autopilot reset:
    • Removes personal files, apps and settings
    • Reapplies a device's original settings
    • Sets the region, language and keyboard to the original values
    • Maintains the device's identity connection to Microsoft Entra ID
    • Maintains the device's management connection to Intune

For more information please visit: https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe


Microsoft Intune Interface Guide - Part 4 - Accessing a device Bitlocker Key

In this module we will be discussing how IT admins and users can access device Bitlocker keys if required.

Bitlocker is Microsoft’s built in encryption system designed to make devices more secure, this linked with Secure boot can help protect the devices data from being accessed by unauthorised users.

Our configuration requires devices to be enabled with a TPM chip to enable seamless login experience, however sometimes devices may require an unlock key if changes have been made to a system.

For more information on Bitlocker please visit: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices

Microsoft Intune Interface Guide - Part 1 - The Interface

The Microsoft Intune interface is the site used for managing all devices hosted within Intune, whether thats a Windows device, iPads, Android or Linux. You can managed any of these device types within Intune is configured.

Most of our schools will be using Intune for managing Windows devices in either a Hybrid deployment or Cloud managed deployment. There are some schools using Intune for iPad managed, schools such as Isleham.

In the video below we will be looking of the different sections of the Intune management interface, and looking at information on devices.

We will go into details of other areas later in the module.


Manual Autopilot - Part 2 - Boot device into command prompt and register in Intune

The first step to registering a new out-of-box device is to connect the device into power and network. If the device does not have a network port, it is possible to use a wireless network.

  • Wait for device to boot into Windows
  • At the welcome screen select United Kingdom and select Yes
  • If your device does not have a network card, select the right keyboard layout (in this example United Kingdom) and select Yes, until you see a screen which enables you to connect to a wireless network. Otherwise skip to the next step
  • Press SHIFT-F10 keys together
  • Pressing these keys will open up a command prompt window, without the need to login into Windows.
  • We now need to enter a command to run Powershell. Enter the following text into the command window:
    • PowerShell.exe -ExecutionPolicy Bypass
  • Once the command prompt has changed to Powershell, enter the following command:
    • Install-Script -name Get-WindowsAutopilotInfo -Force
  • This command above installs the Windows Autopilot info script from the internet. If you are asked to allow or confirm anything, please click Yes
  • Next run the following command:
    • Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
  • This step is setting the execution policy for the script before we attempt to run it.
  • Finally, run the following command:
    • Get-WindowsAutopilotInfo -Online
  • This runs the downloaded script. You will be asked to enter Global Admin credentials for the schools tenant and you maybe asked to authorise a Graph prompt. Enter the credentials and agree to the Graph authorisation.
  • The script will then continue and once completed notify you if the device has been successfully registered in Intune.
  • Make a note of the serial number as we will need this in the next step.
  • We can now shut the machine down by typing the following command:
    • shutdown /s /f
  • DO NOT JUST TURN THE MACHINE OFF

Manual Autopilot - Part 3 - Move device in Intune to the relevant group

The next step is to login to the schools M365 tenancy. You will need the schools global admin account or an account with Intune administrative rights to access this.

  • Open a new incognito browser, or browser profile for the school.
  • Navigate to https://intune.microsoft.com
  • Login with the relevant credentials
  • From the options on the left, select Devices
  • Select Enrollment
  • Then select Device from the central screen
  • You will now see a list of devices that are Autopilot enabled.
  • Using the serial number confirm your device is visible in the list. If it is not visible then it either did not enrol (which should have been highlighted in the previous step) or its been enrolled in the incorrect tenant, at which point you will need to find the relevant tenant and remove it from that schools Intune.
  • If the device is there, click on the device, then take a copy of the serial number.
  • From the menu options on the left, select Groups
  • In the search box that appears in the centre of the screen, enter Dev this should list all the device groups associated with this site.
  • Open the group relevant to the device you are working on. In demo its Dev-Teacher-Devices
  • Select Members
  • Then select Add
  • In the search box paste the serial number we copied earlier. The device should appear in the list. Select it.
  • Now select Devices from the left hand menu
  • Select Windows
  • Select Enrollment
  • Select Devices
  • This will take us back to the window we looked at a few moments ago
  • Find the device serial number and check the Profile Status column and confirm it is set to Assigned, if its not set to assign we will need to wait while a Autopilot profile is assigned in the background.
  • Keep refreshing the page until you see it appear as assigned.
  • Once assigned we are ready to deploy/configure the device or ship the device to the end user.
  • The next step we will cover is the process of user login or device login to register settings.

Manual Autopilot - Part 4 - Login to device to finish setup

This next step can either be completed by an end user or by a technician depending on the schools requirements.

The step will include device configuration, device enrolment and user profile creation and takes place through a end user prompts.

Ideally you would setup the device using the end users login, however on student devices this may not be possible so you can use the admin account you used earlier.

  • Confirm the device is plugged in to power and has some kind of network connection and follow the onscreen instructions.