In this scenario I will download a PowerShell Script created by a guy called Pontus Wendt and do some ajustments/addings to the PowerShell Script. It can be downloaded from this site -> https://pontuswendt.blog/2019/05/31/a-modern-bginfo-solution-just-a-simple-powershellscript/ – Great script btw!
After downloading the script I will modify the script for my environment and deploy it through Microsoft Intune towords a Windows 10 Azure Ad joined (enrolled) device based on a dynamic user group created in Azure Active directory. (See how I created the dynamic group at the last section of this blogpost)
- Devices running Windows 10 version 1607 or later.
- Azure AD joined og Hybrid AD joined.
- Some PowerShell scripts required to run with administrator privilege others don´t. (Our script can run without admin rights and in users context)
Important things to consider before using Intune PowerShell scripts:
- If the PowerShell scripts are selected “user context” when configured and the end user has administrator rights, by default, the PowerShell script runs under the administrator privilege.
- End users do not need to sign in to the device to execute PowerShell scripts.
- The Intune management extension client checks with Intune once every hour and after every reboot for any new scripts or changes. After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported. Once the script executes, it doesn’t execute again unless there’s a change in the script or policy.
- Intune cannot push reruns on scripts. (Unfortunately – highly needed feature MS!)
Lets begin adding the PowerShell script to Intune.
- Login to the Intune portal -> https://devicemanagement.microsoft.com
- Click on Device Configuration and PowerShell Scripts.
- Now click Add and fillout Name and Description and click Next:
- Find and Add the PowerShell script and select YES to “Run this script using the logged on credentials”:
- Now assign it to a groups of users and click Next:
- Then Click Add and the configuration is done:
Don’t have any group created for assignment yet? get inspiration here.
The group I used in this scenario is called “BGInfo user group” and has a Dynamic membership rule added. The dynamic rule syntax I used is (user.accountEnabled -eq True) and this adds all enabled user accounts in the Azure Active directory (AAD). So when a user logs in to the Windows 10 device the BGInfo (Background Information) will appear as a tag on the background picture.
- This is the dynamic BGInfo user Group:
- Now login to a Azure AD joined or Hybrid Joined PC and check the BGInfo appears at the top right corner: