Microsoft Intune | Windows Device Enrollment Restrictions

Concepts Work

Просмотров 14 тыс.

Добавить в
- Мой плейлист
- Посмотреть позже
Поделиться

HTML-код

Размер видео:

Показать панель управления

Автовоспроизведение

Автоповтор

Опубликовано: 17 окт 2024
#Intune #IntuneMDM #MDM #MobileDeviceManagement
Windows Device Enrollment Restriction
Corporate Device Identifier
Microsoft Article - docs.microsoft...
Regards,
ConceptsWork
SCRIPT
----------------------------------------------
Write-Host ================================================================================
Write-Host This is a Sample Script to check Enrollment Failure logs as per the user
Write-Host ================================================================================
Write-Host This script required a registered application with the below mentioned Permission
Write-Host -ForegroundColor Green // DeviceManagementManagedDevices.Read.All // User.Read.All
Write-Host Before Executing the script, make sure you have granted the Permission.
Write-Host ================================================================================
#Taking input for Tenant name#
$tenant = Read-Host ('Enter your Tenant Name')
Write-Host Tenant name you entered is $tenant
#Querying Endpoint Details of the Tenant#
$Openid = Invoke-RestMethod -uri "login.microsof..."
$authendpoint = $Openid.authorization_endpoint
$tokenendpoint = $Openid.token_endpoint
Write-Host Authorize endpoint of your tenant is
$authendpoint
Write-Host Token endpoint of your tenant is
$tokenendpoint
$Body = @{
client_id = "3d6b3600-ec8c-4c33-8d3e-57f379726fd7" #Replace this value with your applications client ID#
client_secret = "_ce_MQ0d7.qGMko58ZdcHl.l~dg5lSgc60" #Replace this value with your applications client secret#
redirect_uri = "localhost" #Make sure you have added this value in redirect URI#
grant_type = "client_credentials"
scope= "graph.microsof..."
tenant = "$tenant"
}
$token = Invoke-RestMethod -uri $tokenendpoint -Body $Body -Method Post
if ($token -eq $null)
{
Write-Host Unable to Acquire Access Token -ForegroundColor Red
Write-Host Script is exiting -ForegroundColor Red
Write-Host "There must be some parameter missing from body Object" -ForegroundColor Red
exit
}
else {
Write-Host Access token acquired Successfully
Write-Host -----------------------------------------
$token.access_token
Write-Host -----------------------------------------
Write-Host Initiating Script --
Write-Host -----------------------------------------
Write-Host "Do you want to query all users or specific user"
Write-Host "Type 1 for All users"
Write-Host "Type 2 for Specific user"
$option = Read-Host("Type 1 or 2")
if ($option -eq 1)
{
Write-Host "Querying Error Event for all the users" -ForegroundColor Green
$events = "graph.microsof..."
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.access_token)"} -Uri $events -Method Get
#$Data.Value
$Issue = $Data.Value
$Issue | select eventDateTime,operatingSystem,osVersion,failureCategory,failureReason,troubleshootingErrorDetails | ft
}
elseif ($option -eq 2)
{
#Taking input for user name#
$user = Read-Host ('Enter user UPN')
Write-Host 'user name you entered is' $user
Write-Host Querying User ObjectID
$apiUrl = "graph.microsof..."
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.access_token)"} -Uri $apiUrl -Method Get
$ObjectID = $Data.id
Write-Host ObjectId of the user is $ObjectID
Write-Host "Querying Error Event for $user" -ForegroundColor Green
$events = "graph.microsof..."
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.access_token)"} -Uri $events -Method Get
#$Data.Value
$Issue = $Data.Value
Write-Host "Last Enrollment Failure"
$displayError = $Issue[0].troubleshootingErrorDetails
$displayError
}
else
{
Write-Host "You have enter Invalid Value"
Write-Host "Re-Initiate Script"
}
}
#-------------
#Script Ends

Комментарии • 22

@mukesh9182 3 года назад
Hi! @Concepts Work , this is really an amazing playlist..I found an guy who is diving deep into it and explaining things which nobody ever tried to tell or intimate..it's really great..love ur knowledge and expertise you show in your every video. Thank you for your time and efforts in making this video's. It really helps.
@ConceptsWork 3 года назад
Awesome, thank you!
@aadilshaikh1893 2 года назад
very difficult to understand which one is the first part of channel, all videos should be in order so we can see al videos from start to end
@CountZilch 3 года назад
Hi great video. Have you found any way that you can put in a device restriction which prevents Windows 10 Home devices enrolling? These devices don't implement featuers such as WIP which bypasses our data leakage controls. Seems to only support version numbers not Windows editions.
@ConceptsWork 3 года назад
You can block personal device enrollment from the device restriction console itself, but in this case you have to make sure that you have onboarded all the hardware hash of your corp devices.
@habibabdulla3122 3 года назад
In the corporate device identifier, can we add the Laptops\PC's or not ? I didn't get you
@heymayank08 2 года назад
no
@deepakpadwal_dp 4 года назад
great video with well-explained info. can you please share more info for onprem device management in Intune, like we are looking patching from Intune for all devices azure + onprem Win 10. Thank you
@cli3335 4 года назад
Hi there. can you create a video explaining the relationships between conditional access, compliance policies, restriction policies, and configuration policies. I found that there are a lot of videos explaining each of these individually but i have never seen someone explain how it all fits together. Thx
@ConceptsWork 4 года назад
Yes, this will be posted.
@woowee6 3 года назад ⁺¹
Great Video as always
@ConceptsWork 3 года назад
Appreciate that
@ehabgalal9181 4 года назад
Hello,
This means If I did not put the information In corporate identifier then it will consider it as personal device? and does it will apply for all types of devices Windows, android and IOS?
@ConceptsWork 4 года назад
Corporate device Identifier is not applicable for windows as a platform as of now.
@ehabgalal9181 4 года назад
@@ConceptsWork so without corporate identifier any enrollment will seem as personal?
@ConceptsWork 4 года назад
At the time of enrollment, Intune automatically assigns corporate-owned status to devices that are:
Enrolled with a device enrollment manager account (all platforms)
Enrolled with the Apple Device Enrollment Program, Apple School Manager, or Apple Configurator (iOS only)
Identified as corporate-owned before enrollment with an international mobile equipment identifier (IMEI) numbers (all platforms with IMEI numbers) or serial number (iOS and Android)
Joined to Azure Active Directory with work or school credentials. Devices that are Azure Active Directory registered will be marked as personal.
Set as corporate in the device's properties list
But, if you have implement block personal device policy, then Intune will treat a BYOD device as personal device.
docs.microsoft.com/en-us/mem/intune/enrollment/corporate-identifiers-add
@ehabgalal9181 4 года назад
@@ConceptsWork thanks a lot for your informative information
@uviweq 4 года назад
@@ConceptsWork So are you saying that, if you implement a block personal device policy for Windows devices. The device can only be enrolled by a user with device enrollment manager permissions or global admin? Once enrolled, then a normal user can logon to the machine with their school or work account?
@aquamandwait4363 2 года назад
How to join ur channel ?
@MrRamashish 4 года назад ⁺¹
Can I join windows 10 device to azre ad without upload CSV file
@gaofeng2828 4 года назад
same question!

Следующие

Автовоспроизведение

Microsoft Intune | Device Enrollment Manager