ScottMonolith

This is used in the OU Move Script but can apply to any situation you need to auth against a service principal in Azure for programmatic access

Create a self-signed cert assigned to the machine where task is running from (update password, DnsName, FilePath, and OutFile accordingly):

# Create self-signed cert for MS Graph Auth
$pass = "securepass"
$DnsName = "host.fqdn.local"
$FilePath = "c:\temp\azureadauth_cert.pfx"
$OutFile = "c:\temp\azureadauth_cert_base64.crt"
$thumb = (New-SelfSignedCertificate -DnsName $DnsName -CertStoreLocation "cert:\LocalMachine\My"  -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddMonths(24)).Thumbprint

ScottMonolith

How-to connect to MS Graph using a SP - for reference

# Create self-signed cert for MS Graph Auth
$pass = "securepass"
$DnsName = "host.fqdn.local"
$FilePath = "c:\temp\azureadauth_cert.pfx"
$OutFile = "c:\temp\azureadauth_cert_base64.crt"
$thumb = (New-SelfSignedCertificate -DnsName $DnsName -CertStoreLocation "cert:\LocalMachine\My"  -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddMonths(24)).Thumbprint
$pass = ConvertTo-SecureString -String $pass -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath $FilePath -Password $pass

ScottMonolith

Find Permissions

SELECT
   u.name as UserName,
   u.type_desc as UserType,
   r.name as RoleName
FROM
   sys.database_principals as u
LEFT JOIN
   sys.database_role_members as rm on rm.member_principal_id= u.principal_id

ScottMonolith

Devices, Windows, Configuration Policies, Create Profile, Win10+, Templates, Device restrictions
For Autopilot, Aaron recommends:
Under 'General' for Configuration settings - Autopilot Reset (allow), Phone reset (block) (even though it's a Windows device, this will disallow end users from factory resetting their machine - may want to block that, or if we want to allow remote end users to do this perhaps may want to allow it…)
Domain join profile - OOBE

Process:
https://learn.microsoft.com/en-us/autopilot/registration-overview

https://learn.microsoft.com/en-us/autopilot/add-devices

ScottMonolith

First, create an OAuth2 token (the PSFalcon client creds are saved in Secret Server):
https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/
Not sure what scopes are required but I added:
Hosts - read/write
Host Groups - read/write
Real time response (admin) - write
Real time response - read/write

Next, upload your script to 'Custom Scripts' section of response scripts and files - https://falcon.crowdstrike.com/real-time-response/scripts/custom-scripts

ScottMonolith

https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare

https://scloud.work/en/chocolatey-program-installation/

https://www.thelazyadministrator.com/2020/02/05/intune-chocolatey-a-match-made-in-heaven/

Use the Choco Install Template folder.  Copy it to your local machine.
Grab a copy of the IntuneWinAppUtil.exe

In choco.txt, adjust the chocoID.  This should match the Chocolatey install ID (IE for Adobe Acrobat Reader DC, it's 'adobereader') - find from https://community.chocolatey.org/packages/

ScottMonolith

https://github.com/chocolatey-community/chocolatey-au
https://github.com/bcurran3/ChocolateyPackages/tree/35fb2b40baa3ed7b672c9f5e84f33888d29e14ba/vnc-viewer
https://community.chocolatey.org/packages/vnc-viewer

Update package (change version number in choco push line):
cd "C:\Users\scott.brescia\OneDrive - Monolith\Documents\GitHub\ChocolateyPackages\vnc-viewer"

Test install:
choco install vnc-viewer --source .

ScottMonolith

# Install
Install-Module -Name PendingReboot

# Run
Test-PendingReboot -Detailed

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'PendingFileRenameOperations'

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update'  Name 'RebootRequired'