Preface
This document will guide you and show you which steps to take to deploy your whole Intune tenant within a few minutes. Before we can configure the tenant with Powershell, we need to make sure we have configured some prereqs.
Google Connection/Apple Connection/Microsoft Store Connection/Approving the Google apps/adding the Microsoft Store Apps and the company branding
When you make sure, you have configured these and followed this document, you can start enrolling your tenant with a basic configuration.. Of course, every customer is different so there are always adjustments to be made
I am using VScode to deploy/configure our tenants. When using VScode you could clone this repository and start using it for your own. Please check out the $ScriptPath = $PSScriptRoot variable, if needed change it to your own folder
Contents
Step 1a. Configure Apple MDM (Manually)
Step 1b. Configure Android MDM (Manually)
Step 1c: Add Android Apps (Manually)
Step 1d: Configure Company Branding (Manually)
Step 1e: Configure Microsoft Business Store (Manually)
Step 2: Configure Tenant
Step 3: Create/Upload/Assign Intune Apps
Step 4: Import Device Configuration Profiles
Step 5: Import Compliance Policies
Step 6: Configure Windows Update
Step 7: Configure Windows Hello
Step 8: Deploy Conditional Access
Step 9: Security Level 1/4
(Manually) = Some steps are need to be performed manually before we can continue enrolling the whole Intune Tenant
- Device Enrollment and then Apple Enrollment and select “Apple MDM Push Certificate”
- Click on “Agree to the terms” and download the “CSR” File
- The Intune CSR is now being downloaded
- Click on “Create your MDM push certificate.” A valid apple id is required, create one if necessary : http://appleid.apple.com.
- Log in , with your created apple id
- Click on “Create a Certificate” after you logged in
- Upload the Intune CSR file you downloaded earlier
- Now you can download the intune certificaat
- Open Intune back again and enter the apple id corresponding to the certificate and upload the certficate you downloaded in step 9
- First we need (just like with Aple ) a Google account
- Open Intune and select device enrollment - Android enrollment
- Click on “Managed google play
- Make sure you “agree” and click on start google to create a connetion
- Please make sure you are signed in with the proper account
- If you are not signed in or not yet created a google account, click on add account and create a new company google account
- Configure the company name when asked for
- Scroll down and make sure you are agreeing to the terms and press confirm afterwards
- Make sure you document the apple and google accounts used!
Now we configured the Google account let’s add some apps
- Open Apps and Android Apps and click on add
- Choose App type: Beheerde/Managed Google Play and click on “open”
- Search for each App and approve it
- You will need to do this for each app you want to use, so make sure you have added all the apps
- No we have added all the apps, we still need to make sure we “sync” them back to Intune… so don’t forget to sync them !!
Please make sure you don’t forget to configure the Company branding by creating a new banner logo door een banner logo etc. You could do so by logging in into portal.azure.com. Choosing Azure active directory and company branding
Also make sure you configure the company name by surfing to this portal
- Log in into Microsoft Endpoint Manager Portaal and open the Tenant administration blade and click on “Enable” and on “open the business store”
- Sign in with the admin Credentials
- Click on “Manage/Beheren”.
- When asked, make sure you accept it
- Lets create the intune connection by clicking on settings/distribuate and clicking on activate at the bottom of the screen
- Now we have connected the store to Intun, let’s add some apps. Please make sure you have add the company portal app
- Click on “get the app” and agree to the terms
- Make sure you are doing the same for the email and calander App
- When you have added all the apps, please make sure (just like with google) press the sync botton
- Please make sure you configured the company portal app as required
- Configure the Email and calander apps to make sure the assignment is uninstall!
- Download the site installation package
- Choose the proper tenant and click on download remote worker installer
- Extract the zip file to this folder c:\intune\packages\solarwinds
- Download the intunewinapp utility and start creating the intune package https://go.microsoft.com/fwlink/?linkid=2065730
- Source folder: c:\intune\packages\solarwinds Setup file: agent.exe Destination folder: c:\intune\packages\solarwinds
Now let's fire up the Default_Enrollment.ps1. I will shortly describe what it does
.\DU\DU2a to DU2i
Please note that we are creating the "MS365BusinessLicences" group. This group is used to configure Group Licensing/MDM Scope/Configure who may Join Azure Ad
When using the solarwinds app , make sure you have it in the right location
# Windows10 Apps
.\DU\DU3b_Windows10_Upload_Basic_Apps.ps1
# iOS Apps
.\DU\DU3b_iOS_Upload_Basic_Apps.ps1
# Office365 Apps
.\DU\DU3b_Office365_Upload_Apps.ps1
# Edge App
.\DU\DU3b_Edge_Upload_App.ps1
# Chocolatey Apps
.\DU\DU3b_Chocolatey_Upload_Basic_Apps.ps1
#### Apps Assignment ######
# Windows10 Apps
.\DU\DU3b_Windows10_Assign_Basic_Apps.ps1
# iOS Apps
.\DU\DU3b_iOS_Assign_Basic_Apps.ps1
# Chocolatey Apps
.\DU\DU3b_Chocolatey_Assign_Basic_Apps.ps1
# Chocolatey Apps Logos uploaden
.\DU\DU3b_Chocolatey_Assign_Large_Icons.ps1
#### Enrollment Status page configureren #####
.\DU\DU3c_Config_Enrollment_Status_Page.ps1
-Check out if which apps you want to mark as required in the User Enrollment status page
Step 4a
# Importing Administrative Configurations
.\DU\DU4a_DeviceConfigurationADMX_Import_FromJSON.ps1
.\DU\Du4a_DeviceConfigurationADMX_Assignment.ps1
Step 4b
# Importing Device Configurations
.\DU\Du4b_Windows10_ImportAllDeviceConfigs.ps1
.\DU\DU4b_AppConfigurationPolicy_ImportFromJSON.ps1
.\DU\DU4b_AppConfigurationPolicy_Assignment.ps1
Step 4c
# Importing Powershellscripts
.\DU\DU4c_Enroll_Windows10_Powershellscripts.ps1
Step 4d
# Upoad FireWall Rules
.\DU\DU4d_Windows10_firewallRules.ps1
.\DU\DU5_Import_Compliance_Policies.ps1
.\DU\DU6_Config_WindowsUpdate.ps1
.\DU\DU7_Config_WindowsHello.ps1
.\DU\DU8_Config_WindowsHello.ps1
.\SL\SL1_1.ps1 .\SL\SL1_2.ps1 .\SL\SL1_3.ps1 .\SL\SL1_4.ps1