Local admin rights on AVD (Azure VM)

 To have local admin rights on Azure VM

1. Select Access control (IAM).
2. Select Add > Add role assignment and assign: Virtual Machine Administrator Login

OneDrive auto sign in for RemoteApp (Azure host pool)

Based on https://learn.microsoft.com/en-us/azure/virtual-desktop/onedrive-remoteapp following registry value should be configured:

• Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

• Type: REG_SZ

• Name: OneDrive

• Data: "C:\Program Files\Microsoft OneDrive\OneDrive.exe" /background

And except mentioned registry key we need to have local GPO configured:
Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Enable enhanced shell experience for RemoteApp

Intune feature update policies - troubleshooting

1. Be sure that device is targeted by only one Feature update policy. If it is targeted by more then there will be conflict. So if e.g. pilot policy is targeted to IT devices please be sure that the same IT devices group is excluded from all the rest feature update policies. 

2. Take a look at MS Entra – devices – and look if for specific device there are no stale records. 

3. Be sure that telemetry is enabled on device. 

4. Try to start service: wlidsvc - Microsoft Account Sign-in Assistant

Windows 11 image customization

Removal of build in apps

For removal of build in apps during task sequence below PowerShell script can be used. First prepare a list by Get-AppxPackage -allusers | Select Name 

Build a list of Appx's to remove:

$apps=@(

"Clipchamp.Clipchamp"

"Microsoft.549981C3F5F10 (Cortana)"

"Microsoft.BingNews"

"Microsoft.BingWeather"

"Microsoft.GamingApp"

"Microsoft.GetHelp"

"Microsoft.Getstarted"

"Microsoft.MicrosoftOfficeHub"

"Microsoft.MicrosoftSolitaireCollection"

"Microsoft.People"

"Microsoft.PowerAutomateDesktop"

"Microsoft.StorePurchaseApp"

"microsoft.windowscommunicationsapps"

"Microsoft.WindowsFeedbackHub"

"Microsoft.WindowsMaps"

"Microsoft.Xbox.TCUI"

"Microsoft.XboxGameCallableUI"

"Microsoft.XboxGameOverlay"

"Microsoft.XboxGamingOverlay"

"Microsoft.XboxIdentityProvider"

"Microsoft.XboxSpeechToTextOverlay"

"Microsoft.YourPhone"

"Microsoft.ZuneMusic"

"Microsoft.ZuneVideo")

Remove them:

foreach ($app in $apps) {

Get-AppXPackage -allUsers -Name $app | Remove-AppxPackage -allUsers

}

 

Start menu customization

Working and used by most people method is to copy from existing machine (where start menu was customized) "C:\Users\x\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\start2.bin" to mounted wim file: C:\Users\Default\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState (the full path does not exist there by default, must be created manually)

Note: Pinned folders (number 4 on below screenshot) was not preserved – must be configured via Intune (GPO do not have control over these settings)

⦁ Start layout: settings to control the Start menu appearance and its behavior

⦁ All apps options: settings to control the All apps list

⦁ Account options: settings to control the options exposed when selecting the user account icon

⦁ Pinned folders: settings to control the folders pinned for quick access

⦁ Power options: settings to control the options exposed when selecting the power button

For pinned folders create Intune policy based on setting catalog and look for:

AllowPinnedFolderDocuments

AllowPinnedFolderSettings

AllowPinnedFolderPictures

 

Taskbar customization

Copy prepared LayoutModification.xml file to C:\Users\Default\AppData\Local\Microsoft\Windows\Shell 

For Edge, Run and File explorer it should looks like below:

<?xml version="1.0" encoding="utf-8"?>

<LayoutModificationTemplate

xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"

xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"

xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"

xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"

Version="1">

<CustomTaskbarLayoutCollection PinListPlacement="Replace">

    <defaultlayout:TaskbarLayout>

        <taskbar:TaskbarPinList>

            <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>

            <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk"/>

            <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\File Explorer.lnk"/>

        </taskbar:TaskbarPinList>

    </defaultlayout:TaskbarLayout>

</CustomTaskbarLayoutCollection>

</LayoutModificationTemplate>

But this way we cannot control if e.g. Search or TaskView button is visible on taskbar or not. This must be controlled by Intune CSP or GPO:  

Or for default user profile (new build scenario) we can mount default user registry (c:\Users\default\ntuser.dat) and modify under following path Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

- hide task view on taskbar: ShowTaskViewButton =0

- widgets: TaskbarDa = dword:00000000

- copilot: ShowCopilotButton = dword:00000000

Icons on desktop

To show icons like This PC on desktop modify default user profile by mounting default user registry (c:\Users\default\ntuser.dat) and modify under following path

Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel

⦁ show this pc icon: {20D04FE0-3AEA-1069-A2D8-08002B30309D}=dword:00000000

⦁ recycle bin: {645FF040-5081-101B-9F08-00AA002F954E}=dword:00000000

⦁ network: {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}=dword:00000000

⦁ user files: {59031a47-3f72-44a7-89c5-5595fe6b30ee}=dword:00000000

⦁ control panel: {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}=dword:00000000

Quick access

goal is to configure folder options line on below screenshot:

 

Open File explorer to This PC: for default user profile (new build scenario) we can mount default user registry (c:\Users\default\ntuser.dat) and modify under following path Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

LaunchTo=dword:00000001

To not show recommended section and do not include account-based insights:

Software\Microsoft\Windows\CurrentVersion\Explorer

ShowCloudFilesInQuickAccess=dword:00000000

ShowRecommendations=dword:00000000

Initial screensaver

For default user profile (new build scenario) we can mount default user registry (c:\Users\default\ntuser.dat) and modify under following path Control Panel\Desktop

ScreenSaveTimeOut="600"  

ScreenSaverIsSecure="1" 

SCRNSAVE.EXE="C:\Windows\System32\scrnsave.scr" (this file is by default there and containing screen saver which is just black screen)

All above REG_SZ (String) values.

Browser favourite

For default user profile (new build scenario) we can create following path C:\Users\default\AppData\Local\Microsoft\Edge\User Data\Default and inside copy Bookmarks file from machine on which they were configured 

winget application installer

WinGet (App Installer) is already available in MS Store app (new) in Intune. Somehow you cannot find it by name but by ID: 9NBLGGH4NNS1 (this ID can be retrieved from copy link as shown below). So the whole paragraph nr 2 can be addressed easily now

To have any application installed via WinGet you should prepare Win32 app (intunewin). To do it create a separate folder on your machine, e.g.: Google.Chrome. Create there 2 powershell scripts:

1. Google.Chrome.ps1

$ResolveWingetPath = Resolve-Path "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe\winget.exe"     if ($ResolveWingetPath){            $WingetPath = $ResolveWingetPath[-1].Path     } $Wingetpath = Split-Path -Path $WingetPath -Parent cd $wingetpath .\winget.exe install --exact --id Google.Chrome --silent --accept-package-agreements --accept-source-agreements

 

2. uninstall_Google.Chrome.ps1

$ResolveWingetPath = Resolve-Path "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe\winget.exe"     if ($ResolveWingetPath){            $WingetPath = $ResolveWingetPath[-1].Path     } $Wingetpath = Split-Path -Path $WingetPath -Parent cd $wingetpath .\winget.exe uninstall --exact --id Google.Chrome --silent

 

Looking at the above script, you will notice that the first part is to resolve the DesktopAppInstaller path. Because the Winget command is normally not recognized in the system context.

 

To create intunewin file which can be uploaded to Intune as source of win32 app follow: https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare

Basically run IntuneWinAppUtil.exe and provide details like below:

Then in C:\temp there will be Google.Chrome.intunewin

 

As a next step open Intune console ang go to Apps > Windows. Then click Add button and choose: Windows app (win32)

In next step click on Select app package file and provide intunewin file path

In next step provide Name of application in the convention of winget e.g. Google.Chrome or Adobe.Acrobat.Reader.64-bit. You can use: winget search adobe to search winget repository and find out application name.

Edit description and put info that this app is using winget for installation.

In App version field put: newest.

Then click next. On next step fill out like below:

On next step (Requirements) fill out first 2 only.

On Detection rules step configure like below:

Move Windows 10 computers into windows 11 OU

$allWin10_OUs=Get-ADOrganizationalUnit -Filter 'Name -like "*Win10*"' -Properties DistinguishedName | Select DistinguishedName 

#desktops

foreach ($a in $allWin10_OUs) {

    [string]$sOU = $a

    $sourceDesktopOU = "OU=Desktop," + ($sOU.TrimStart("@{DistinguishedName=")).trimend("}")

    $targetDesktopOU = $sourceDesktopOU.Replace("Win10","Win11")

    Get-ADComputer -Properties DistinguishedName, OperatingSystemVersion -Filter 'OperatingSystemVersion -eq "10.0 (22631)"' -SearchBase $sourceDesktopOU | Move-ADObject -TargetPath $targetDesktopOU

}

#mobiles

foreach ($a in $allWin10_OUs) {

    [string]$sOU = $a

    $sourceMobileOU = "OU=Mobile," + ($sOU.TrimStart("@{DistinguishedName=")).trimend("}")

    $targetMobileOU = $sourceMobileOU.Replace("Win10","Win11")

    Get-ADComputer -Properties DistinguishedName, OperatingSystemVersion -Filter 'OperatingSystemVersion -eq "10.0 (22631)"' -SearchBase $sourceMobileOU | Move-ADObject -TargetPath $targetMobileOU

}

Intune policies - get details from MS Graph

Compliance policies:

https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies

Conditional access policies:

https://graph.microsoft.com/beta/identity/conditionalAccess/policies

Configuration profiles:

https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations

https://graph.microsoft.com/beta/deviceManagement/configurationPolicies

Scripts

https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts

HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension\Policies

Remediations:

https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts