In the latest update of Windows Intune, a new method has been introduced to disable Windows Copilot through the settings catalog policy. Previously, the technique revolved around CSP and registry, but now users can conveniently manage this setting directly within the settings catalog. There are plenty of blog posts showing how to do it via CSP and registry, and we are not going into that here.
What is Windows Copilot?
For those unfamiliar, Windows Copilot (formerly Bing Chat) is a built-in AI-powered intelligent assistant that helps you get answers and inspirations from across the web, supports creativity and collaboration, and enables you to focus on the task at hand.
How to Disable Windows Copilot via Settings Catalog Policy
The process to disable Windows Copilot through the settings catalog policy is simple and straightforward. Here’s a step-by-step guide:
# Define parameters for the new device management configuration policy $params = @{ name = "DisableCopilot" description = "Disable AI copilot" platforms = "windows10" technologies = "mdm" roleScopeTagIds = @( "0" ) settings = @( @{ "@odata.type" = "#microsoft.graph.deviceManagementConfigurationSetting" settingInstance = @{ "@odata.type" = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" settingDefinitionId = "user_vendor_msft_policy_config_windowsai_turnoffwindowscopilot" choiceSettingValue = @{ "@odata.type" = "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue" value = "user_vendor_msft_policy_config_windowsai_turnoffwindowscopilot_1" children = @() } } } ) }
# Create a new device management configuration policy with the specified parameters New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $params
Check out my other blog post that outlines how to use MS Graph and Powershell to execute the above code.
I hope you’ll find this insightful for easily disabling the Copilot within the Windows 11 physical and Windows 365 Cloud PC fleet of device. Please let me know if I’ve missed any steps or details, and I’ll be happy to update the post.
If you’re looking to customize the branding displayed at the top of the sign-in screen for Windows 365 Boot, you’re in the right place. In a previous workflow within the Intune Portal, I deployed the Windows 365 Boot and all I needed was to incorporate the company logo, text, and lock screen wallpaper.
Create or edit a configuration profile for Windows 10 and later devices with the Settings catalog profile type, specifically for the “W365Boot Windows 365 Boot Shared PC Device Configuration Policy”.
Click on edit on “Configuration Settings” and select “Add.”
Enter the details within the table for the OMA-URI and values:
Upload your company logo in the specified format and size.
Enter your company name in the designated field.
Save your changes and ensure they are applied to the login screen.
This straightforward process allows you to personalize the login experience for your Windows 365 users, enhancing your company’s branding and identity.
Company Name and Logo
See how the Name and Logo appear on the Windows 365 Boot Physical PC.
LockScreen Logo
Check out how the Lock Screen appears on the Windows 365 Boot Physical PC.
I trust you’ll find this insightful for customizing the end-user experience on the physical Windows 365 Boot device. Please let me know if I’ve missed any steps or details, and I’ll be happy to update the post.
In the Dec 4th, 2023 for Windows 365 Enterprise, the reports for Cloud PC actions were announced. In today’s post, I will showcase how to access and make sense of the new report available within Microsoft Intune.
What does the report offer?
The Cloud PC Actions Report, currently in public preview, is a powerful report within the Windows 365 ecosystem. It provides detailed information on various actions taken by administrators on the Cloud PCs. Imagine you have multiple teams and admins within your organisation. This report can help you track the actions along with the Status and Date initiated, which can come in handy for troubleshooting and audit purposes.
Accessing the report – Cloud PC Actions
To view the report in Microsoft Intune portal, you can follow these steps:
Go to Devices > Monitor > Others > Cloud PC Actions (preview).
What Actions are displayed?
The following actions are included in the report:
Action
Description
Create Snapshot
This action allows administrators to capture the current state of a Cloud PC. It’s useful for backup purposes or before making significant changes, ensuring that there’s a point to revert back to if needed.
Move Region
This feature enables the relocation of a Cloud PC to a different geographic region. It’s particularly beneficial for organizations with a global presence, ensuring that Cloud PCs are hosted closer to where the users are located, potentially improving performance and compliance with regional data laws.
Place Under Review
This action is used to flag a Cloud PC for further examination. It could be due to performance issues, security concerns, or compliance checks. Placing a PC under review may restrict certain functionalities until the review is completed.
Power On/Off (W365 Frontline only)
Specific to Windows 365 Frontline, this action allows administrators to remotely power on or off a Cloud PC. This is crucial for managing devices in a frontline environment, where PCs might need to be controlled outside of regular working hours.
Reprovision
Reprovisioning a Cloud PC involves resetting it to its initial state. This action is useful when a PC needs to be reassigned to a different user or if it’s experiencing significant issues that can’t be resolved through regular troubleshooting.
Resize
This action refers to changing the size/specifications of a Cloud PC, such as adjusting its CPU, RAM, or storage. It’s essential for adapting to changing workload requirements or optimizing resource allocation.
Restart
Administrators can remotely restart a Cloud PC. This is a basic but critical action for applying updates, implementing configuration changes, or resolving minor issues.
Restore
This action allows the restoration of a Cloud PC to a previous state using a saved snapshot. It’s a vital feature for recovery scenarios, such as after a failed update or when dealing with software issues.
Troubleshoot
This is a general action that encompasses various diagnostic and repair tasks to resolve issues with a Cloud PC. It might include running automated diagnostics, checking logs, or applying fixes.
How This Report Benefits You
Enhanced Troubleshooting: Quickly identify failed actions and understand potential reasons for failure.
Efficient Management: Monitor ongoing actions and ensure smooth operation of Cloud PCs.
Actionable Insights: Make informed decisions based on the status and details of actions taken.
If you have a failed action you can select and click on retry and it will try to perform the action on your behalf.
Bonus – PowerShell Access to Cloud PC Actions Report
To get the csv download of the report via MS Graph follow these steps:
Connect to MS Graph API
Step 1 – Install the MS Graph Powershell Module
#Install Microsoft Graph Beta Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph.Beta
Step 2 – Connect to scopes and specify which API you wish to authenticate to. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”
#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All" -NoWelcome
Welcome To Microsoft Graph!
OR
#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All" -NoWelcome
Welcome To Microsoft Graph!
Step 3 – Check the User account by running the following beta command.
The Cloud PC Actions Report is a significant addition to Windows 365, offering a level of transparency and control that administrators have long sought. I hope you will find this helpful information for tracking the Cloud PC actions via this report. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Are you looking to keep a vigilant eye on your Windows 365 environment? Good news! You can now send Windows 365 audit events to Azure Log Analytics, Splunk, or any other SIEM system that supports it.
Understanding the Scope of Windows 365 Audit Logs
When it comes to monitoring your Cloud PC environment, Windows 365 audit logs are an indispensable resource. These logs provide a comprehensive chronicle of significant activities that result in modifications within your Cloud PC setup (https://intune.microsoft.com/). Here’s what gets captured:
Creation Events: Every time a Cloud PC is provisioned, it’s meticulously logged.
Update Events: Any alterations or configurations changes made to an existing Cloud PC are recorded.
Deletion Events: If a Cloud PC is decommissioned, this action is also captured in the logs.
Assignment Events: The process of assigning Cloud PCs to users doesn’t go unnoticed; it’s all in the logs.
Remote Actions: Activities such as remote sign-outs or restarts are tracked for administrative oversight.
These audit events encompass most actions executed via the Microsoft Graph API, ensuring that administrators have visibility into the operations that affect their Cloud PC infrastructure. It’s important to note that audit logging is an always-on feature for Windows 365 customers. This means that from the moment you start using Cloud PCs, every eligible action is automatically logged without any additional configuration.
Windows 365 and Azure Log Analytics
Windows 365 has made it easier than ever to integrate with Azure Log Analytics. With a few simple PowerShell commands, you can create a diagnostic setting to send your logs directly to your Azure Log Analytics workspace.
Sign in to the Microsoft Intune admin center, select Reports > Diagnostic settings (under Azure monitor)> Add Diagnostic settings.
Under Logs, select Windows365AuditLogs.
Under Destination details, select the Azure Log Analytics and choose the Subscription & Workspace.
Select Save.
Query the Azure Log Analytics
Once your logs are safely stored in Azure Log Analytics, retrieving them is a breeze. You can use Kusto Query Language (KQL) to extract and analyze the data. Here’s a basic example of how you might query the logs:
Leverage Graph API to retrieve Windows 365 audit events
Connect to MS Graph API
Step 1 – Install the MS Graph Powershell Module
#Install Microsoft Graph Beta Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph.Beta
Step 2 – Connect to scopes and specify which API you wish to authenticate to. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the policy, so we need to change the scope to “CloudPC.ReadWrite.All”
#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All" -NoWelcome
Welcome To Microsoft Graph!
OR
#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All" -NoWelcome
Welcome To Microsoft Graph!
Permissions for MS Graph API
Step 3 – Check the User account by running the following beta command.
Integrating Windows 365 with Azure Log Analytics is a smart move for any organization looking to bolster its security and compliance posture. With the added flexibility of forwarding to multiple endpoints, you’re well-equipped to handle whatever audit challenges come your way.
I hope you will find this helpful information for enabling and quering Windows 365 Audit Logs in Azure Logs Analytics or using Graph API with PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
In the Aug 28, 2023 release and Dec 4th, 2023 for Windows 365 Enterprise, the reports for Connected Frontline Cloud PCs were announced. In today’s post, I will showcase how to access and make sense of the new report available within Microsoft Intune.
What does the report offer?
The primary aim of the Connected Frontline Cloud PCs report is to provide clarity on concurrent connections based on each frontline Cloud PC. This is crucial for businesses and IT Admins to understand their usage patterns and ensure they have the correct number of licenses. By analyzing the maximum concurrent connections, we can determine if there’s a need to acquire more licenses. This ensures that end users have uninterrupted access to their Frontline Cloud PCs. You can read more about Frontline Cloud PC provisioning in my previous blog post – PowerShell – Frontline Workers – Create Windows 365 Cloud PC Provisioning Policy | AskAresh
Accessing the report – Connected Frontline Cloud PCs
To view the report in Microsoft Intune portal, you can follow these steps:
If you don’t have the necessary permissions to manage Windows 365. You will also need these two roles to view the report (SharedUseLicenseUsageReport and SharedUseServicePlans)
Go to Devices > Overview > Cloud PC performance (preview) > You will find the report name Connected Frontline Cloud PCs. > Select View report
I have two licenses for Windows 365 Frontline Cloud PCs in my lab. I have four provisioned Cloud PCs. However, the maximum Cloud PCs that can be connected and worked upon simultaneously are two.
Scenario 1 – One Frontline Cloud PC connected out of my total two licenses
There is no warning here when one frontline Cloud PC is connected.
Scenario 2 – Two Frontline Cloud PC connected out of my total two licenses
You can see a warning stating you have reached the concurrency limit. The third session of frontline cloud PC will not be allowed.
Concurrent Frontline Cloud PC Connections
This is how the overall report looks when you click on the Cloud PC Size. The report aggregates data for the last 28 days and showcases:
The current number of connected Frontline Cloud PCs.
The maximum number of connected Frontline Cloud PCs for each day within the selected range (either 7 or 28 days).
The maximum concurrency limit.
Warnings when nearing or reaching the maximum concurrency limit.
It’s worth noting that this report is tailored for Windows 365 Frontline. If a business hasn’t purchased any Windows 365 Frontline licenses, the report will remain empty.
New Filter (Frequency – Hourly)
In the Dec 2023 release the new filter which shows hourly data for the consumption of the Frontline Worker desktops. Understanding usage patterns on an hourly basis, allows for more precise planning and ensures that resources and licenses are allocated efficiently. This is especially important for organizations relying heavily on Frontline Cloud PCs, where even minor disruptions can lead to significant workflow challenges.
This is how the Hourly Report will look like and you will be able to make the decision based on usage:
I hope you will find this helpful information for estimating and tracking the frontline worker concurrent usage via this report. Please let me know if I have missed any steps or details, and I will be happy to update the post.
In the July 2023 release for Azure Virtual Desktop, the Watermarking and Session capture protection features became generally available. Numerous blog posts already showcase how to enable the feature using Group Policy. In today’s post, I will showcase how to enable Watermarking and Session Capture protection using Microsoft Intune for Session Host Virtual machines that are Azure AD joined.
Prerequisites
You’ll need the following things ready before you can rollout watermarking/session capture protection:
Azure Virtual Desktop: You must have Azure Virtual Desktop deployed (Pooled or Personal Desktops) and set up in your Azure environment.
Microsoft Intune: You should have an active subscription to Microsoft Intune, which is a cloud-based service that enables device management and security. The role within Intune Portal for creating and assigning the configuration profiles is – Policy and Profile manager built-in role-based access control (RBAC) role.
Azure Active Directory: Your Azure Virtual Desktop environment should be integrated with Azure Active Directory (AD) (The Host pools RDP properties – targetisaadjoined:i:1). The AAD Security groups must be in place, which has the members as the session’s host in AVD.
Azure AD Joined Devices: The session host virtual machines (VMs) you want to enable Watermarking and Session Capture protection for should be Azure AD joined. This means they must be connected to Azure AD and registered as members of your organization’s directory.
Windows 11 operating system for the client along with the Azure Virtual Desktop Client or Remote Desktop Client versions 1.2.x and higher
Configuration Profiles – Intune
To enable the Watermarking and Session Capture protection features in Azure Virtual Desktop using Microsoft Intune Configuration profiles and Azure AD joined devices, you can follow these steps:
In the settings picker, browse to Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop. You should see settings in the Azure Virtual Desktop subcategory available for you to configure, such as “Enable watermarking” and “Enable screen capture protection”
Select the “Enable screen capture protection” settings, too and leave the values as defaults. (Feel free to tweak it based on your requirements)
Assigning the configuration to the AAD group, which has all the session host devices
Reboot the session host after applying or wait until the next maintenance cycle
Client Validation
Connect to a remote session with a supported client (Azure Virtual Desktop Client or Remote Desktop Client versions 1.2.x), where you should see QR codes appear.
The QR code only works for Windows 11 Multi-session\Windows 11 Enterprise (pooled or personal desktops). The RemoteApps will not show the QR code as its not supported.
Screenshot protection – In the session, it will be completely blank if you try to take a screenshot. Below is an example. I was trying to take a screenshot of the text file, and the screenshot was completely blank.
Mobile Phone Photo
When you try to take a screenshot from the mobile phone, this is how it will look, and it will pop the Connection ID. You have this connection ID you can match in Azure Insights.
Azure Virtual Desktop Insights
To find out the session information from the QR code by using Azure Virtual Desktop Insights:
Open a web browser and go to https://aka.ms/avdi to open Azure Virtual Desktop Insights. Sign-in using your Azure credentials when prompted.
Select the relevant subscription, resource group, host pool and time range, then select the Connection Diagnostics tab.
In the section Success rate of (re)establishing a connection (% of connections), there’s a list of all connections showing First attempt, Connection Id, User, and Attempts. You can look for the connection ID from the QR code in this list, or export to Excel.
I hope you will find this helpful information for getting started with Watermarking and Screenshot protection for the Azure Virtual Desktop – Session Host. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Note – The best method of assigning the DNS Servers is through the DHCP server. If you are setting the IP using DHCP, always make sure you add/remove additional DNS Client Servers from there. In my situation, there was no DHCP server, hence the detailed blog post.
Prerequsites
We are going to implement this configuration via Microsoft Intune using the Scripts:
The necessary Microsoft Intune permissions to create, the PowerShell Scripts.
A device group available within Microsoft Entra with all the devices you want to target this change.
PowerShell Script for DNSClient (Additional DNS Servers)
Save the below script and place on the desktop and we shall be uploading it to Microsft Intune portal – “AddDNSClient.ps1″
Please enter the proper DNS Server Address within the script based on your environment and requirement. In the example below the existing two DNS servers are 8.8.8.8 and 8.8.8.4. We are adding additional two DNS Servers 9.9.9.9 and 9.9.9.4.
Select Devices > Scripts > Add > Windows 10 and later.
In Basics, enter the following properties, and select Next:
Name: AddDNSClientServers
Description: Additional DNS Server 3 & 4
In Script settings, enter the following properties, and select Next:
Script location: Browse to the PowerShell script. saved previously and upload it (AddDNSClient.ps1)
Run this script using the logged on credentials: Select No.
Enforce script signature check: Select No
Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell host on a 64-bit client architecture.
Select Assignments > Select groups to include. Add the AAD group “Win11-P-DG”
Wait for approx. 15-20 minutes and the policy will apply to the managed devices. (Machine Win11-Intune-15)
Managed Device
You can validate that the settings have been applied to the client by going to the path – C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and opening the file IntuneManagementExtension.txt. I copied the policy ID – cf09649b-78b7-4d98-8bcc-b122c29e5527 from the Intune portal hyperlink and searched within the log file. We can see the policy has been applied successfully.
I hope you will find this helpful information for applying additional DNS servers via Intune – Scripts and PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
If you’re managing Windows 365 Cloud PCs, keeping track of alerts can be a daunting task. Fortunately, Azure Logic Apps can help automate this process by sending alerts directly to your Microsoft Teams channel. In this blog post, we’ll explore how to set up this integration, so you can stay on top of your Windows 365 environment without constantly checking the portal or notifications within the Intune portal.
Note – Within the Microsoft Intune admin center portal you can already send notifications via email.
Set up your Microsoft Teams channel
To start, you’ll need to create a Microsoft Teams channel where you want to receive alerts. If you don’t have one already, create a new channel and name it something like “Windows365Alerts.”
Next, within the newly created channel, add the Connector – Incoming Webhook
Click on Configure of the Incoming Webhook connectors by entering the Name – Win365Alerts and custom image. Why not use the Windows 365 Cloud PC Logo and click on create.
Please copy the link and save it for all future reference purposes. We will be using this URL within the Azure Logic Apps.
Azure Active Directory Enterprise App (MS Graph API)
Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell
Connect to Azure Portal and go to Azure Active Directory
Click on App Registrations and select – New Registration
Give the App a Name – GraphAPI-App
You will get two important information created for later use within Powershell
Application ID
Tenant ID
Now let’s grant this App GraphAPI-App Permission. Click on Add a permission and select MS Graph and search for Cloud PC– CloudPC.ReadAll and select read permissions and Add Permissions
Select Grant admin consent for domain
We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
Give it a name (Deviceconfig_secret) and expiry date (12 months)
Copy the Secret Value
Azure Key Vault – (Store the Secret)
This is an optional step, and I highly recommend this step for all production environments as the secret is stored within the Azure Key Vault, and within the Azure Logic Apps, you will call this secret.
After creating the value, go to Secret and click on Generate/Import, and under manual, enter a name and paste the secret key we created in the above step.
Additionally, I will dedicate a service account(svc_kv_api) specifically for this secret retrieval for the Azure Logic Apps. Let’s add the service account with the necessary permissions under the Access Policies and give it Get and List permissions.
Create an Azure Logic App
Next, you’ll need to create an Azure Logic App. In the Azure portal, search for “Logic Apps” and click “Create.” Give your Logic App a name and select your desired subscription, resource group, and location. Then click “Review + Create” and “Create” to create your Logic App.
Configure your Logic App
Once your Logic App is created, click “Logic App Designer” and select blank logic app template and add the other operations shown below:
Step 1 – Recurrence (A schedule that will be triggered)
Depending upon your SLA agreements, put a trigger. In this example, I have selected every 3 min.
Step 2 – Fetch the Secret from the Azure Key Vault
In the earlier step, we created the Azure Key vault and stored the secret there. In this step, we will make the Azure Logic Apps Fetch the Secret
Tenant ID – Copy from the above steps
KeyVault Name – Copy from the above steps
Click on Sign and use the dedicated service account to fetch this Secret
Step 3 – HTTP Get the Alerts for Windows 365 Using MS Graph API
We shall create the HTTP request using the Windows 365 Alert API – List and authenticate the call using the secret. Enter all the information shown in the screenshot.
Step 4 – We shall Parse the JSON output from the above API GET request
Create the Parse JSON operation, and we will enter the below sample JSON output. Note I have run the GET and got the output from the API. Paste the below code into the schema example. It will auto-generate the below output for your use without values inside.
Step 5 – Post the Alert to Microsoft Teams using the HTTP operation
Create the HTTP Operation, select POST, enter the webhook URL from the above step on MS Teams, and paste it within the URL. With the Headers add Content-Type: application/json and paste the below body code.
{
"text": "**Alert name:** @{items('For_each')?['displayName']} \n\n **Status:** @{items('For_each')?['status']} \n\n **Severity:** @{items('For_each')?['severity']} \n\n **Detect Date:** @{items('For_each')?['detectedDateTime']} \n\n **Resolved Date:** @{items('For_each')?['resolvedDateTime']} \n\n **Alert Rule Template:** @{items('For_each')?['alertRuleTemplate']} \n\n **Alert Impact:** @{items('For_each')?['alertImpact']}",
"title": "Windows 365 Cloud PC Alerts with status and Severity "
}
Step 6 – Run the workflow
The above will now start running the Azure Logic Apps every 3 mins and keep sending the alerts to Microsoft teams
I need help filtering the alerts based on specific Status and Severity. If you manage to get to that, please message me, and I will happily include those bits in the blog post.
I hope you will find this helpful information for enabling Windows 365 Alerts within the MS Teams using the Azure Logic Apps. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Remote Help in Microsoft Intune works by enabling IT administrators to remotely control a user’s mobile device, allowing them to view the device’s screen and interact with it in real-time. This enables administrators to quickly diagnose and fix issues on the device, without needing to be physically present with the user.
To use Remote Help in Microsoft Intune, IT administrators first need to enable the feature in the Intune console. Once enabled, administrators can initiate a remote session with a user’s device by sending an invitation link to the user via email or text message. The user then clicks on the link to join the remote session, allowing the administrator to remotely control the device.
In the blog post I will showcase how to enable this feature via PowerShell instead of the Microsoft Intune admin center portal.
Pre-requsites
An active Microsoft Intune subscription.
An Azure AD (Active Directory) subscription with administrative access.
The Azure AD application registration credentials, including client ID and secret.
Permissions to access and manage Microsoft Intune and Microsoft Graph API resources.
PowerShell and AzureAD PowerShell module installed on the local machine to run PowerShell scripts.
A valid Azure AD authentication token to authenticate and authorize Microsoft Graph API requests.
Create the Client Secret for MS Graph
Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell
Connect to Azure Portal and go to Azure Active Directory
Click on App Registrations and select – New Registration
Give the App a Name – MSGraph-DeviceMgmt-Secret
You will get two important information created for later use within Powershell
Application ID
Tenant ID
Now let’s grant this App MSGraph Permission. Click on Add a permission and select MS Graph and search for Device – DeviceManagementConfiguration and select read-write permissions and Add Permissions
Select Grant admin consent for domain
Note that RemoteSettings, aka Remote Help, falls under Device Management Configurations. We will use that for the permissions (read-write)
We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
Give it a name (Deviceconfig_secret) and expiry date (12 months)
Copy the Secret Value
Variable Region
Delcare all the variable within this section. Lets take a look at what we are declaring within the script:
GraphEndpoint and resource URL if you notice we are using the remoteAssistanceSettings
# Define the Graph API endpoint and resource URL
$graphEndpoint = "https://graph.microsoft.com"
$resourceUrl = "$graphEndpoint/beta/deviceManagement/remoteAssistanceSettings"
# Define the authentication parameters
$clientId = "XXXXXXXX-6f08-XXXXX-a6ff-XXXXXXXXXXXXX"
$clientSecret = "Q-D8Q~XXXXXXXXXXXXXXXXXXXXXXXXXXX"
$tenantId = "XXXXXXXXXX-d8f4-4c55-XXXXX-XXXXXXXXXXX"
$authority = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"
# Authenticate to the Graph API and obtain an access token
$tokenResponse = Invoke-RestMethod -Method Post -Uri $authority `
-Body @{
client_id = $clientId
client_secret = $clientSecret
scope = $scope
grant_type = "client_credentials"
} `
-Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
}
$accessToken = $tokenResponse.access_token
# Define the payload for the PATCH request
$payload = @{
"@odata.type" = "#microsoft.graph.remoteAssistanceSettings"
"remoteAssistanceState" = "enabled"
"allowSessionsToUnenrolledDevices" = $false
"blockChat" = $false
} | ConvertTo-Json
# Send a PATCH request to the remoteAssistanceSettings resource with the updated payload
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
"Content-length" = $payload.Length
}
Invoke-RestMethod -Method Patch -Uri $resourceUrl -Headers $headers -Body $payload
Validations
After running the powershell script now check the portat it will be enabled
Overall, Remote Help in Microsoft Intune is a powerful tool for IT administrators, enabling them to quickly diagnose and fix issues on mobile devices, improving productivity and reducing downtime. If you’re using Microsoft Intune, be sure to take advantage of this powerful feature to improve your device management capabilities.
I hope you will find this helpful information for enabling Remote Help using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Search Highlight is a feature in Windows 11 (Enterprise\Multi-session) that highlights search results in the Start menu and taskbar search box. While this feature can be helpful for some users, others may find it distracting or unnecessary. Fortunately, it is possible to disable the Search Highlight feature in Windows 11 using Microsoft Intune. Plenty of information is available on disabling the Windows 11 Search Highlight using Group policy, Registry and UI. However, we will leverage Custom OMA-URI settings from Microsoft Intune in this blog post.
Search – CSP Details
The Search – Policy configuration service provider enables the enterprise to configure policies on Windows 11. Following are the details on the one we are using for disabling the search highlights:
How to disable Search Highlights in Microsoft Endpoint Manager
To disable the Search Highlight feature in Windows 11 (Enterprise/Multi-session) using Microsoft Intune, follow these steps:
For Profile type, select Templates > Custom and select Create.
Enter a Name – DisableSearchHighlight and description and choose Next
Under the OMA-URI Settings, clicks on Add
Enter the Name, Description, and OMA-URI fetched in the references from the MS CSP link below. The value is an integer based on the documentation, and as we disable the setting, the value is 0.
Remember the MS documentation called out this setting only applies to Devices. In the case of Assignments, we will target Windows 365 Device Group and Azure Virtual Desktop Session Host Pools.
Click on Review and Save
Validate the Policy is applying
After 10-15 mins of waiting, go into the newly configured configuration profiles policy, and you will start seeing it getting applied to the targeted devices (MEM Portal > Devices > Configuration Profiles > DisableSearchHighlights)
Cloud PC – Within Windows 11
Login to the Windows 365 Cloud PC, and now when you click on Search, the advertisements and search highlights are gone.
I hope you will find this helpful information towards disabling the annoying Search Highlights on Windows 365, AVD environment and physical endpoints using Microsoft Endpoint Manager. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Recent Comments