To have local admin rights on Azure VM
- Select Access control (IAM).
- Select Add > Add role assignment and assign: Virtual Machine Administrator Login
I write some useful information and lessons learnt about SCCM, MDT, SCOM, Exchange, Lync, Windows 7/8, Windows servers, Hyper-V, Vmware
To have local admin rights on Azure VM
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
REG_SZ
OneDrive
"C:\Program Files\Microsoft OneDrive\OneDrive.exe" /background
Removal of build in apps
For removal of build in apps during task sequence below PowerShell script can be used. First prepare a list by Get-AppxPackage -allusers | Select Name
Build a list of Appx's to remove:
$apps=@(
"Clipchamp.Clipchamp"
"Microsoft.549981C3F5F10 (Cortana)"
"Microsoft.BingNews"
"Microsoft.BingWeather"
"Microsoft.GamingApp"
"Microsoft.GetHelp"
"Microsoft.Getstarted"
"Microsoft.MicrosoftOfficeHub"
"Microsoft.MicrosoftSolitaireCollection"
"Microsoft.People"
"Microsoft.PowerAutomateDesktop"
"Microsoft.StorePurchaseApp"
"microsoft.windowscommunicationsapps"
"Microsoft.WindowsFeedbackHub"
"Microsoft.WindowsMaps"
"Microsoft.Xbox.TCUI"
"Microsoft.XboxGameCallableUI"
"Microsoft.XboxGameOverlay"
"Microsoft.XboxGamingOverlay"
"Microsoft.XboxIdentityProvider"
"Microsoft.XboxSpeechToTextOverlay"
"Microsoft.YourPhone"
"Microsoft.ZuneMusic"
"Microsoft.ZuneVideo")
Remove them:
foreach ($app in $apps) {
Get-AppXPackage -allUsers -Name $app | Remove-AppxPackage -allUsers
}
Start menu customization
Working and used by most people method is to copy from existing machine (where start menu was customized) "C:\Users\x\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\start2.bin" to mounted wim file: C:\Users\Default\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState (the full path does not exist there by default, must be created manually)
Note: Pinned folders (number 4 on below screenshot) was not preserved – must be configured via Intune (GPO do not have control over these settings)
⦁ Start layout: settings to control the Start menu appearance and its behavior
⦁ All apps options: settings to control the All apps list
⦁ Account options: settings to control the options exposed when selecting the user account icon
⦁ Pinned folders: settings to control the folders pinned for quick access
⦁ Power options: settings to control the options exposed when selecting the power button
For pinned folders create Intune policy based on setting catalog and look for:
AllowPinnedFolderDocuments
AllowPinnedFolderSettings
AllowPinnedFolderPictures
Taskbar customization
Copy prepared LayoutModification.xml file to C:\Users\Default\AppData\Local\Microsoft\Windows\Shell
For Edge, Run and File explorer it should looks like below:
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\File Explorer.lnk"/>
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
But this way we cannot control if e.g. Search or TaskView button is visible on taskbar or not. This must be controlled by Intune CSP or GPO:
Or for default user profile (new build scenario) we can mount default user registry (c:\Users\default\ntuser.dat) and modify under following path Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- hide task view on taskbar: ShowTaskViewButton =0
- widgets: TaskbarDa = dword:00000000
- copilot: ShowCopilotButton = dword:00000000
Icons on desktop
To show icons like This PC on desktop modify default user profile by mounting default user registry (c:\Users\default\ntuser.dat) and modify under following path
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
⦁ show this pc icon: {20D04FE0-3AEA-1069-A2D8-08002B30309D}=dword:00000000
⦁ recycle bin: {645FF040-5081-101B-9F08-00AA002F954E}=dword:00000000
⦁ network: {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}=dword:00000000
⦁ user files: {59031a47-3f72-44a7-89c5-5595fe6b30ee}=dword:00000000
⦁ control panel: {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}=dword:00000000
Quick access
goal is to configure folder options line on below screenshot:
Open File explorer to This PC: for default user profile (new build scenario) we can mount default user registry (c:\Users\default\ntuser.dat) and modify under following path Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
LaunchTo=dword:00000001
To not show recommended section and do not include account-based insights:
Software\Microsoft\Windows\CurrentVersion\Explorer
ShowCloudFilesInQuickAccess=dword:00000000
ShowRecommendations=dword:00000000
Initial screensaver
For default user profile (new build scenario) we can mount default user registry (c:\Users\default\ntuser.dat) and modify under following path Control Panel\Desktop
ScreenSaveTimeOut="600"
ScreenSaverIsSecure="1"
SCRNSAVE.EXE="C:\Windows\System32\scrnsave.scr" (this file is by default there and containing screen saver which is just black screen)
All above REG_SZ (String) values.
Browser favourite
For default user profile (new build scenario) we can create following path C:\Users\default\AppData\Local\Microsoft\Edge\User Data\Default and inside copy Bookmarks file from machine on which they were configured
WinGet (App Installer) is already available in MS Store app (new) in Intune. Somehow you cannot find it by name but by ID: 9NBLGGH4NNS1 (this ID can be retrieved from copy link as shown below). So the whole paragraph nr 2 can be addressed easily now
To have any application installed via WinGet you should prepare Win32 app (intunewin). To do it create a separate folder on your machine, e.g.: Google.Chrome. Create there 2 powershell scripts:
$ResolveWingetPath = Resolve-Path "C:\Program Files\WindowsApps\Microsoft. if ($ResolveWingetPath){ $WingetPath = $ResolveWingetPath[-1].Path } $Wingetpath = Split-Path -Path $WingetPath -Parent cd $wingetpath .\winget.exe install --exact --id Google.Chrome --silent --accept-package-agreements --accept-source-agreements |
$ResolveWingetPath = Resolve-Path "C:\Program Files\WindowsApps\Microsoft. if ($ResolveWingetPath){ $WingetPath = $ResolveWingetPath[-1].Path } $Wingetpath = Split-Path -Path $WingetPath -Parent cd $wingetpath .\winget.exe uninstall --exact --id Google.Chrome --silent |
Looking at the above script, you will notice that the first part is to resolve the DesktopAppInstaller path. Because the Winget command is normally not recognized in the system context.
To create intunewin file which can be uploaded to Intune as source of win32 app follow: https://learn.microsoft.com/
Basically run IntuneWinAppUtil.exe and provide details like below:
Then in C:\temp there will be Google.Chrome.intunewin
As a next step open Intune console ang go to Apps > Windows. Then click Add button and choose: Windows app (win32)
In next step click on Select app package file and provide intunewin file path
In next step provide Name of application in the convention of winget e.g. Google.Chrome or Adobe.Acrobat.Reader.64-bit. You can use: winget search adobe to search winget repository and find out application name.
Edit description and put info that this app is using winget for installation.
In App version field put: newest.
Then click next. On next step fill out like below:
On next step (Requirements) fill out first 2 only.
On Detection rules step configure like below:
$allWin10_OUs=Get-ADOrganizationalUnit -Filter 'Name -like "*Win10*"' -Properties DistinguishedName | Select DistinguishedName
#desktops
foreach ($a in $allWin10_OUs) {
[string]$sOU = $a
$sourceDesktopOU = "OU=Desktop," + ($sOU.TrimStart("@{DistinguishedName=")).trimend("}")
$targetDesktopOU = $sourceDesktopOU.Replace("Win10","Win11")
Get-ADComputer -Properties DistinguishedName, OperatingSystemVersion -Filter 'OperatingSystemVersion -eq "10.0 (22631)"' -SearchBase $sourceDesktopOU | Move-ADObject -TargetPath $targetDesktopOU
}
#mobiles
foreach ($a in $allWin10_OUs) {
[string]$sOU = $a
$sourceMobileOU = "OU=Mobile," + ($sOU.TrimStart("@{DistinguishedName=")).trimend("}")
$targetMobileOU = $sourceMobileOU.Replace("Win10","Win11")
Get-ADComputer -Properties DistinguishedName, OperatingSystemVersion -Filter 'OperatingSystemVersion -eq "10.0 (22631)"' -SearchBase $sourceMobileOU | Move-ADObject -TargetPath $targetMobileOU
}