├── ADMX Custom Policies - STIG ├── Google Chrome v97 - STIG.json └── Readme ├── AddToRemoteDesktopUsers.ps1 ├── CheckSelfDeploying.ps1 ├── CmtraceIntune.zip ├── ConnectDrives.zip ├── Custom Compliance ├── Get-CredentialGuardCompliance.json ├── Get-CredentialGuardStatus.ps1 └── Readme ├── Dell Bios ├── DellSmBios-SetAdmPass.ps1 └── Readme ├── DesktopAppInstaller CSP Custom policy ├── Windows - Desktop App Installer Config.json └── readme ├── Edge Security Baseline 107 Settings catalog ├── Edge Baseline v107-109.json ├── EdgeAdditional.ps1 └── Readme ├── HP ├── HPClientMgmt-SetAdmPass.ps1 └── Readme ├── Make Enrolled user local admin └── SetLocalAdmin.ps1 ├── README.md ├── ReinstallWin32App ├── Readme ├── Reinstall-RemoteHelp-Detect.ps1 └── Reinstall-Remotehelp-Remediate.ps1 ├── RemoveAppsIntune.zip ├── SwitchFirewall ├── Readme └── SwitchFirewall.zip └── Windows MDM Security Baseline Settings Catalog └── readme /ADMX Custom Policies - STIG/Google Chrome v97 - STIG.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ccmexec/Intune-MEM/229da72d062f93846c7de4f8e1fa70c43fb4a386/ADMX Custom Policies - STIG/Google Chrome v97 - STIG.json -------------------------------------------------------------------------------- /ADMX Custom Policies - STIG/Readme: -------------------------------------------------------------------------------- 1 | I will upload and maintain custom ADMX Ingestion based policies here. 2 | -------------------------------------------------------------------------------- /AddToRemoteDesktopUsers.ps1: -------------------------------------------------------------------------------- 1 | # Script to add the user who enrolled the computer in Microsoft Entra to the remote desktop users group 2 | # Written by Jörgen Nilsson 3 | # ccmexec.com 4 | 5 | $LocalGroup = Get-LocalGroup -SID "S-1-5-32-555" 6 | $Localgroupname = $LocalGroup.name 7 | 8 | function Get-MembersOfGroup { 9 | Param( 10 | [Parameter(Mandatory = $True, Position = 1)] 11 | [string]$GroupName, 12 | [string]$Computer = $env:COMPUTERNAME 13 | ) 14 | 15 | $membersOfGroup = @() 16 | $ADSIComputer = [ADSI]("WinNT://$Computer,computer") 17 | $group = $ADSIComputer.psbase.children.find("$GroupName", 'Group') 18 | 19 | $group.psbase.invoke("members") | ForEach-Object { 20 | $membersOfGroup += $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) 21 | } 22 | 23 | $membersOfGroup 24 | } 25 | 26 | # Get the UPN of the user that enrolled the computer to AAD 27 | $AADInfo = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo" 28 | $RDPUsers = Get-MembersOfGroup $Localgroupname 29 | 30 | $guids = $AADInfo.GetSubKeyNames() 31 | foreach ($guid in $guids) { 32 | $guidSubKey = $AADinfo.OpenSubKey($guid); 33 | $UPN = $guidSubKey.GetValue("UserEmail"); 34 | } 35 | 36 | $Username = $UPN -split ("@") 37 | $Username = $Username[0] 38 | 39 | if ($UPN) { 40 | if (!($RDPUsers -contains $Username)) { 41 | Add-LocalGroupMember -Group $Localgroupname -Member "Azuread\$UPN" 42 | "Added AzureAD\$UPN as a member of the Remote Desktop Users." | Out-File -FilePath $env:TEMP\RDPUsers.log 43 | } 44 | else { 45 | "AzureAD\$UPN is already a member of the Remote Desktop Users Group." | Out-File -FilePath $env:TEMP\RDPUsers.log 46 | } 47 | } 48 | else { 49 | "Failed to find an RDPUsername in registry." | Out-File -FilePath $env:TEMP\RDPUsers.log 50 | } 51 | -------------------------------------------------------------------------------- /CheckSelfDeploying.ps1: -------------------------------------------------------------------------------- 1 | # Script to check if the device is deployad as a self-deploying device 2 | # Written by Jörgen Nilsson 3 | # ccmexec.com 4 | function Get-EnrolledUser { 5 | # Get the UPN of the user that enrolled the computer to AAD 6 | $AADInfo = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo" 7 | 8 | $guids = $AADInfo.GetSubKeyNames() 9 | foreach ($guid in $guids) { 10 | $guidSubKey = $AADinfo.OpenSubKey($guid); 11 | $UPN = $guidSubKey.GetValue("UserEmail"); 12 | } 13 | $UserName = ($UPN -split ("@"))[0] 14 | Write-Output $UserName 15 | } 16 | 17 | if (Get-EnrolledUser -eq "autopilot") { 18 | return $true 19 | } 20 | else { 21 | return $false 22 | } 23 | -------------------------------------------------------------------------------- /CmtraceIntune.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ccmexec/Intune-MEM/229da72d062f93846c7de4f8e1fa70c43fb4a386/CmtraceIntune.zip -------------------------------------------------------------------------------- /ConnectDrives.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ccmexec/Intune-MEM/229da72d062f93846c7de4f8e1fa70c43fb4a386/ConnectDrives.zip -------------------------------------------------------------------------------- /Custom Compliance/Get-CredentialGuardCompliance.json: -------------------------------------------------------------------------------- 1 | { 2 | "Rules":[ 3 | { 4 | "SettingName":"CredentialGuardRunning", 5 | "Operator":"IsEquals", 6 | "DataType":"Boolean", 7 | "Operand":true, 8 | "MoreInfoUrl":"https://ccmexec.com", 9 | "RemediationStrings":[ 10 | { 11 | "Language":"en_US", 12 | "Title":"Credential Guard is not enabled", 13 | "Description": "Please make sure that Credential Guard is enabled on your device. For more information, contact servicedesk" 14 | } 15 | ] 16 | } 17 | ] 18 | } -------------------------------------------------------------------------------- /Custom Compliance/Get-CredentialGuardStatus.ps1: -------------------------------------------------------------------------------- 1 | $DevGuard = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard 2 | $CredGuardStatus = @{"CredentialGuardRunning" = ($DevGuard.SecurityServicesRunning -contains 1)} 3 | Return $CredGuardStatus | ConvertTo-Json -Compress 4 | -------------------------------------------------------------------------------- /Custom Compliance/Readme: -------------------------------------------------------------------------------- 1 | This folder contains Custom Compliance samples 2 | -------------------------------------------------------------------------------- /Dell Bios/DellSmBios-SetAdmPass.ps1: -------------------------------------------------------------------------------- 1 | $NewPassword = "Password1" 2 | $OldPassword = "Password2" 3 | $DetectionRegPath = "HKLM:\SOFTWARE\Onevinn\Intune\DellBIOSProvider" 4 | $DetectionRegName = "PasswordSet" 5 | 6 | Start-Transcript -Path "$env:TEMP\$($(Split-Path $PSCommandPath -Leaf).ToLower().Replace(".ps1",".log"))" | Out-Null 7 | 8 | if (-not (Test-Path -Path $DetectionRegPath)) { 9 | New-Item -Path $DetectionRegPath -Force | Out-Null 10 | } 11 | 12 | if (Test-Path -Path "$env:ProgramFiles\WindowsPowerShell\Modules\DellBIOSProvider") { 13 | Write-Output "DellBIOSProvider folder already exists @ $env:ProgramFiles\WindowsPowerShell\Modules\DellBIOSProvider." 14 | Write-Output "Deleting the folder..." 15 | Remove-Item -Path "$env:ProgramFiles\WindowsPowerShell\Modules\DellBIOSProvider" -Recurse -Force 16 | } 17 | 18 | Write-Output "Copying DellBIOSProvider module to: $env:ProgramFiles\WindowsPowerShell\Modules\DellBIOSProvider" 19 | Copy-Item -Path "$PSScriptRoot\DellBIOSProvider\" -Destination "$env:ProgramFiles\WindowsPowerShell\Modules\DellBIOSProvider" -Recurse -Force 20 | 21 | try { 22 | Import-Module "DellBIOSProvider" -Force -Verbose -ErrorAction Stop 23 | } 24 | catch { 25 | Write-Output "Error importing module: $_" 26 | exit 1 27 | } 28 | 29 | $IsAdminPassSet = (Get-Item -Path DellSmbios:\Security\IsAdminPasswordSet).CurrentValue 30 | 31 | if ($IsAdminPassSet -eq $false) { 32 | Write-Output "Admin password is not set at this moment, will try to set it." 33 | Set-Item -Path DellSmbios:\Security\AdminPassword "$NewPassword" 34 | if ( (Get-Item -Path DellSmbios:\Security\IsAdminPasswordSet).CurrentValue -eq $true ){ 35 | Write-Output "Admin password has now been set." 36 | New-ItemProperty -Path "$DetectionRegPath" -Name "$DetectionRegName" -Value 1 | Out-Null 37 | } 38 | } 39 | else { 40 | Write-Output "Admin password is already set" 41 | if ($null -eq $OldPassword) { 42 | Write-Output "`$OldPassword variable has not been specified, will not attempt to change admin password" 43 | 44 | } 45 | else { 46 | Write-Output "`$OldPassword variable has been specified, will try to change the admin password" 47 | Set-Item -Path DellSmbios:\Security\AdminPassword "$NewPassword" -Password "$OldPassword" 48 | New-ItemProperty -Path "$DetectionRegPath" -Name "$DetectionRegName" -Value 1 | Out-Null 49 | } 50 | } 51 | 52 | Stop-Transcript -------------------------------------------------------------------------------- /Dell Bios/Readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /DesktopAppInstaller CSP Custom policy/Windows - Desktop App Installer Config.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ccmexec/Intune-MEM/229da72d062f93846c7de4f8e1fa70c43fb4a386/DesktopAppInstaller CSP Custom policy/Windows - Desktop App Installer Config.json -------------------------------------------------------------------------------- /DesktopAppInstaller CSP Custom policy/readme: -------------------------------------------------------------------------------- 1 | Example Desktop App installer CSP policy 2 | -------------------------------------------------------------------------------- /Edge Security Baseline 107 Settings catalog/Edge Baseline v107-109.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ccmexec/Intune-MEM/229da72d062f93846c7de4f8e1fa70c43fb4a386/Edge Security Baseline 107 Settings catalog/Edge Baseline v107-109.json -------------------------------------------------------------------------------- /Edge Security Baseline 107 Settings catalog/EdgeAdditional.ps1: -------------------------------------------------------------------------------- 1 | # Registry key to create additional registry value for Microsoft Edge not in Settings catalog 2 | 3 | $RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge" 4 | 5 | # Check if the Microsoft Edge registry key already exists 6 | 7 | if (!(Test-Path $RegistryPath)) { 8 | 9 | New-Item -Path $RegistryPath -Force 10 | 11 | } 12 | 13 | # Create the Microsoft Edge additional registry values 14 | 15 | New-ItemProperty -Path $RegistryPath -Name "WebSQLAccess" -Value "0" -PropertyType dword -Force 16 | 17 | New-ItemProperty -Path $RegistryPath -Name "SharedArrayBufferUnrestrictedAccessAllowed" -Value "0" -PropertyType dword -Force 18 | 19 | -------------------------------------------------------------------------------- /Edge Security Baseline 107 Settings catalog/Readme: -------------------------------------------------------------------------------- 1 | Rewrite of the Edge Security Baseline version 107 (same for 108-109) based on settings catalog. 2 | To set all settings a Powershell script is needed to set the two additonal settings not in the settings catalog 3 | -------------------------------------------------------------------------------- /HP/HPClientMgmt-SetAdmPass.ps1: -------------------------------------------------------------------------------- 1 | Start-Transcript -Path "$env:TEMP\$($(Split-Path $PSCommandPath -Leaf).ToLower().Replace(".ps1",".log"))" | Out-Null 2 | 3 | $NewPassword = "Password1" 4 | $OldPassword = "Password2" 5 | $DetectionRegPath = "HKLM:\SOFTWARE\Onevinn\Intune\HPClientMgmt" 6 | $DetectionRegName = "PasswordSet" 7 | 8 | if (-not (Test-Path -Path $DetectionRegPath)) { 9 | New-Item -Path $DetectionRegPath -Force | Out-Null 10 | } 11 | 12 | if (Test-Path -Path "$env:ProgramFiles\WindowsPowerShell\Modules\HP.ClientManagement") { 13 | Write-Output "HP.ClientManagement folder already exists @ $env:ProgramFiles\WindowsPowerShell\Modules\HP.ClientManagement." 14 | Write-Output "Deleting the folder..." 15 | Remove-Item -Path "$env:ProgramFiles\WindowsPowerShell\Modules\HP.ClientManagement" -Recurse -Force 16 | } 17 | 18 | if (Test-Path -Path "$env:ProgramFiles\WindowsPowerShell\Modules\HP.SoftPaq.Shared") { 19 | Write-Output "HP.SoftPaq.Shared folder already exists @ $env:ProgramFiles\WindowsPowerShell\Modules\HP.SoftPaq.Shared." 20 | Write-Output "Deleting the folder..." 21 | Remove-Item -Path "$env:ProgramFiles\WindowsPowerShell\Modules\HP.SoftPaq.Shared" -Recurse -Force 22 | } 23 | 24 | Write-Output "Copying HP.ClientManagement module to: $env:ProgramFiles\WindowsPowerShell\Modules\HP.ClientManagement" 25 | Copy-Item -Path "$PSScriptRoot\HP.ClientManagement\" -Destination "$env:ProgramFiles\WindowsPowerShell\Modules\HP.ClientManagement" -Recurse -Force 26 | 27 | Write-Output "Copying HP.SoftPaq.Shared module to: $env:ProgramFiles\WindowsPowerShell\Modules\HP.SoftPaq.Shared" 28 | Copy-Item -Path "$PSScriptRoot\HP.SoftPaq.Shared\" -Destination "$env:ProgramFiles\WindowsPowerShell\Modules\HP.SoftPaq.Shared" -Recurse -Force 29 | 30 | try { 31 | Import-Module "HP.ClientManagement" -Force -Verbose -ErrorAction Stop 32 | } 33 | catch { 34 | Write-Output "Error importing module: $_" 35 | exit 1 36 | } 37 | 38 | $IsAdminPassSet = Get-HPBiosSetupPasswordIsSet 39 | 40 | if ($IsAdminPassSet -eq $false) { 41 | Write-Output "Admin password is not set at this moment, will try to set it." 42 | Set-HPBiosSetupPassword -newPassword "$NewPassword" 43 | if ( (Get-HPBiosSetupPasswordIsSet) -eq $true ){ 44 | Write-Output "Admin password has now been set." 45 | New-ItemProperty -Path "$DetectionRegPath" -Name "$DetectionRegName" -Value 1 | Out-Null 46 | } 47 | } 48 | else { 49 | Write-Output "Admin password is already set" 50 | if ($null -eq $OldPassword) { 51 | Write-Output "`$OldPassword variable has not been specified, will not attempt to change admin password" 52 | } 53 | else { 54 | Write-Output "`$OldPassword variable has been specified, will try to change the admin password" 55 | try { 56 | Set-HPBiosSetupPassword -newPassword "$NewPassword" -Password "$OldPassword" 57 | } 58 | catch [System.Management.Automation.RuntimeException] { 59 | Write-Output "Access Denied error, verify that `$OldPassword is correct" 60 | } 61 | New-ItemProperty -Path "$DetectionRegPath" -Name "$DetectionRegName" -Value 1 -Force | Out-Null 62 | } 63 | } 64 | 65 | Stop-Transcript 66 | -------------------------------------------------------------------------------- /HP/Readme: -------------------------------------------------------------------------------- 1 | Sample script to configure HP Bios using PowerShell 2 | -------------------------------------------------------------------------------- /Make Enrolled user local admin/SetLocalAdmin.ps1: -------------------------------------------------------------------------------- 1 | # Script to update User GPO from System context using a Schedule Task 2 | # Written by Jörgen Nilsson 3 | # ccmexec.com 4 | 5 | $LocalAdminGroup = Get-LocalGroup -SID "S-1-5-32-544" 6 | $Localadmingroupname = $LocalAdminGroup.name 7 | 8 | function Get-MembersOfGroup { 9 | Param( 10 | [Parameter(Mandatory = $True, Position = 1)] 11 | [string]$GroupName, 12 | [string]$Computer = $env:COMPUTERNAME 13 | ) 14 | 15 | $membersOfGroup = @() 16 | $ADSIComputer = [ADSI]("WinNT://$Computer,computer") 17 | $group = $ADSIComputer.psbase.children.find("$GroupName", 'Group') 18 | 19 | $group.psbase.invoke("members") | ForEach { 20 | $membersOfGroup += $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) 21 | } 22 | 23 | $membersOfGroup 24 | } 25 | 26 | # Get the UPN of the user that enrolled the computer to AAD 27 | $AADInfo = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo" 28 | $Localadmins = Get-MembersOfGroup $Localadmingroupname 29 | 30 | $guids = $AADInfo.GetSubKeyNames() 31 | foreach ($guid in $guids) { 32 | $guidSubKey = $AADinfo.OpenSubKey($guid); 33 | $UPN = $guidSubKey.GetValue("UserEmail"); 34 | } 35 | 36 | $Username = $UPN -split ("@") 37 | $Username = $Username[0] 38 | 39 | if ($UPN) { 40 | $Success = "Added AzureAD\$UPN as local administrator." | Out-File -FilePath $env:TEMP\LocalAdmin.log 41 | if (!($Localadmins -contains $Username)) { 42 | Add-LocalGroupMember -Group $Localadmingroupname -Member "Azuread\$UPN" 43 | $Success = "Added AzureAD\$UPN as local administrator." | Out-File -FilePath $env:TEMP\LocalAdmin.log 44 | } 45 | else { 46 | $Alreadymember = "AzureAD\$UPN is already a local administrator." | Out-File -FilePath $env:TEMP\LocalAdmin.log 47 | } 48 | } 49 | else { 50 | $Failed = "Failed to find an administrator candidate in registry." | Out-File -FilePath $env:TEMP\LocalAdmin.log 51 | } 52 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Intune-MEM 2 | This repository contains scripts that I blog about on my blog https://ccmexec.com 3 | 4 | Connect drives contains a script that creates a Schedule task with a trigger so it executes when connecting to a network with a specific name 5 | -------------------------------------------------------------------------------- /ReinstallWin32App/Readme: -------------------------------------------------------------------------------- 1 | Information on how to use the script can be used can be found on https://ccmexec.com 2 | -------------------------------------------------------------------------------- /ReinstallWin32App/Reinstall-RemoteHelp-Detect.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Version: 1.0 3 | Author: 4 | - Jorgen Nilsson (ccmexec.com) 5 | Script: Resinstall-RemoteHelp-Detect.ps1 6 | Description: 7 | Hint: This is a community script. There is no guarantee for this. Please check thoroughly before running. 8 | Version 1.0: Init 9 | Run as: Admin 10 | Context: 64 Bit 11 | #> 12 | 13 | # Always trigger 14 | Write-output "Script will always be triggered" 15 | exit 1 16 | -------------------------------------------------------------------------------- /ReinstallWin32App/Reinstall-Remotehelp-Remediate.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Version: 1.0 3 | Author: 4 | - Jorgen Nilsson (ccmexec.com) 5 | Script: Reinstall-Remotehelp-Remediate.ps1 6 | Description: 7 | Hint: This is a community script. There is no guarantee for this. Please check thoroughly before running. 8 | Version 1.0: Init 9 | Run as: Admin 10 | Context: 64 Bit 11 | #> 12 | 13 | #Define AppID/MSIProductcode 14 | $AppID = "f3f8ea42-2a57-42e5-999e-399d01337e9b" 15 | $MSIProductCode = "{1E06C136-5B6F-4A98-8296-CEFE858DEEE6}" 16 | 17 | try { 18 | #Uninstall application 19 | Start-Process "C:\Windows\System32\msiexec.exe" -ArgumentList "/x $MSIProductCode /quiet /noreboot" -Wait 20 | } 21 | catch { 22 | $errorMessage = $_.Exception.Message 23 | Write-Host $errorMessage 24 | exit 1 25 | } 26 | 27 | #Clear IME registry values 28 | $Regpath = "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps" 29 | Get-ChildItem -Path $Regpath -Recurse -Exclude "*AppAuthority*" | Where-Object { $_.PSChildName -like "*$AppId*" -or $_.Property -like "*$AppId*" } | Remove-Item -Recurse -Force 30 | 31 | #Restart IME service 32 | Start-Process -FilePath powershell -ArgumentList '-Executionpolicy bypass -command "& {Start-Sleep 160 ; Restart-Service -Name IntuneManagementExtension -Force}"' 33 | 34 | #Exit script 35 | Exit 0 36 | 37 | -------------------------------------------------------------------------------- /RemoveAppsIntune.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ccmexec/Intune-MEM/229da72d062f93846c7de4f8e1fa70c43fb4a386/RemoveAppsIntune.zip -------------------------------------------------------------------------------- /SwitchFirewall/Readme: -------------------------------------------------------------------------------- 1 | Script that can be used to switch the Windows Firewall profile on AAD joined devices. 2 | -------------------------------------------------------------------------------- /SwitchFirewall/SwitchFirewall.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ccmexec/Intune-MEM/229da72d062f93846c7de4f8e1fa70c43fb4a386/SwitchFirewall/SwitchFirewall.zip -------------------------------------------------------------------------------- /Windows MDM Security Baseline Settings Catalog/readme: -------------------------------------------------------------------------------- 1 | Settings catalog version of the Windows MDM Security Baseline 2 | Make sure to test it after import and verify that all settings are there. 3 | 4 | Provided as is - use at own risk 5 | 6 | I will create a new export after testing import as there is an import issue. 7 | --------------------------------------------------------------------------------