<![LOG[======== Intune Driver Automation - Dell Latitude E7440 DRIVER PROCESSING FINISHED ========]LOG]!><time="12:03:08.849+60" date="04-16-2019" component="DriverAutomationScript" context="NT-AUTORITÄT\SYSTEM" type="1" thread="5568" file="">
<![LOG[Driver package location is C:\Temp\SCConfigMgr\Temp\Driver Files]LOG]!><time="12:03:08.942+60" date="04-16-2019" component="DriverAutomationScript" context="NT-AUTORITÄT\SYSTEM" type="1" thread="5568" file="">
<![LOG[Starting driver installation process]LOG]!><time="12:03:09.036+60" date="04-16-2019" component="DriverAutomationScript" context="NT-AUTORITÄT\SYSTEM" type="1" thread="5568" file="">
<![LOG[Reading drivers from C:\Temp\SCConfigMgr\Temp\Driver Files]LOG]!><time="12:03:09.146+60" date="04-16-2019" component="DriverAutomationScript" context="NT-AUTORITÄT\SYSTEM" type="1" thread="5568" file="">
<![LOG[An error occurred while attempting to apply the driver maintenance package. Error message: Dieser Befehl kann aufgrund des folgenden Fehlers nicht ausgeführt werden: Das System kann die angegebene Datei nicht finden.]LOG]!><time="12:03:09.364+60" date="04-16-2019" component="DriverAutomationScript" context="NT-AUTORITÄT\SYSTEM" type="3" thread="5568" file="">

How can i fix that?

Are these modules compatible with Powershell 7.0.3 ? Everything seem to work fine on Powershell 5, but on Powershell 7 I get the following warnings/errors:
WARNING: Failed to determine if an update to the PSIntuneAuth module is necessary, will continue
WARNING: Failure to acquire access token. Response with access token was null

Please help would be amazing to be able to incorporate this into our work!

Install-Printer.ps1 refuse to run when inf file in a subfolder's name with a space.

Running the Add-IntuneWin32App create a sub folder in the folder containing the intunewin package file with the name of the setup file containing an IntunePackage.intunewin, which is a duplicate of the file given in the FilePath parameter.

If this is necessary, it should be deleted after finishing the command.

hi,

i noticed that HPIA has been superseded from 4.5.8 (sp103654) to 5.0.3 (sp110416). has anyone tested with the newer HPIA?

It runs, it does NOT error, but device never appears in Autopilot and local output is:

@odata.context            : https://graph.microsoft.com/beta/$metadata#deviceManagement/importedWindowsAutopilotDeviceI
                            dentities/$entity
id                        : dc40a435-c6ca-41a6-812c-2f3b0f477bed
groupTag                  :
serialNumber              : 5P9KMX3
productKey                : dc40a435-c6ca-41a6-812c-2f3b0f477bed
importId                  : dc40a435-c6ca-41a6-812c-2f3b0f477bed
hardwareIdentifier        :
assignedUserPrincipalName :
state                     : @{deviceImportStatus=unknown; deviceRegistrationId=; deviceErrorCode=0; deviceErrorName=}```

Hello has anyone run the script successfully ?
After following the instructions and running the script like this :
.\Get-IntuneManagedDeviceBitLockerKeyPresence.ps1 -TenantID "xxxxxxxxxxxx" -ClientID "yyyyyyyyyy" -State NotPresent -Verbose

This returns all of my devices .
If run with state Present it returns none.

If no driver package is found, a variable should be set so that the drivers are searched automatically in a further step.

I am trying to use the latest version of Upload-WindowsAutopilotDeviceInfo (1.2.1)

The notes say "1.2.1 - (2023-06-07) Improved access token retrieval, now supports client credentials flow using ClientID and ClientSecret parameters"

Yet when I run the script and pass a CLIENT ID and a CLIENT secret from an azure app I made, it still pops up with a username and password prompt. What am I doing wrong?

Is there any guidance to how to create the enterprise app to work right? What permissions should be turned on in the app?

Example of code I tried.. but it still asks for a username and password.

Install-Script -Name Upload-WindowsAutopilotDeviceInfo -force -confirm:$false -Scope "AllUsers"

$tenant = "mydomain.com"
$ClientID = "12sdsdsdsd-ffff-ssss-eeee-dsfsdfsdfsdf"
$Clientsecret = "blablablabla"

cd "$env:ProgramFiles\WindowsPowerShell\Scripts"
./Upload-WindowsAutopilotDeviceInfo -TenantName $tenant -ClientID $clientID -ClientSecret $clientsecret

Hi,

I keep stumbling on reading the registry via an Intune Script.

I have tried the registry path with:
Registry::HKEY_LOCAL_MACHINE\SOFTWARE...
Registry::HKLM\SOFTWARE...
HKLM:SOFTWARE.....
HKLM:\SOFTWARE....

This is my command, which works fine from PowerShell:
Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot -Name 'DeploymentProfileName' | Select-Object 'DeploymentProfileName' -ExpandProperty 'DeploymentProfileName'

Intune Log records the fail as:
<![LOG[[PowerShell] Fail, the details are {"Version":1,"SigningCode":649,"SigningMsg":"(Success) AccountId:00fa6d33-858d-4d5b-9ed2-80dfca1b527b,PolicyId:d5043367-ae81-4ec1-b8c7-684d6d62045d,Type:1,Enforce: Enforcement2. OSVersion:10.0.22621,AgentVersion:1.60.206.0. ","ExecutionMsg":"Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot' because it does not \r\nexist.\r\nAt C:\Program Files (x86)\Microsoft Intune Management \r\nExtension\Policies\Scripts\c9e33b9e-6140-4340-ba29-42028da8c153_d5043367-ae81-4ec1-b8c7-684d6d62045d.ps1:12 char:20\r\n+ ... lotConfig = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Provision ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (HKLM:\SOFTWARE\...stics\AutoPilot:String) [Get-ItemProperty], ItemNotFo \r\n undException\r\n + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand\r\n \r\n\r\n"}]LOG]!><time="10:15:26.0134720" date="11-24-2022" component="IntuneManagementExtension" context="" type="3" thread="85" file="">

I found an few issues with the script

PS C:\temp\ .\Invoke-MSIntuneDriverUpdate.ps1
At C:\temp\Invoke-MSIntuneDriverUpdate.ps1:304 char:6

• try {
  

•     ~
  

Missing closing '}' in statement block or type definition.
At C:\temp\Invoke-MSIntuneDriverUpdate.ps1:323 char:62

• ... $Links = ((Select-string '(http[s]?)(://)([^\s,]+.exe)(?=")' -Inpu ...

•                                                              ~
  

The Try statement is missing its Catch or Finally block.
At C:\temp\Invoke-MSIntuneDriverUpdate.ps1:274 char:27

• function FindLenovoDriver {

•                       ~
  

Missing closing '}' in statement block or type definition.
At C:\temp\Invoke-MSIntuneDriverUpdate.ps1:323 char:62

• ... $Links = ((Select-string '(http[s]?)(://)([^\s,]+.exe)(?=")' -Input ...

•                                                             ~
  

Unexpected token ')' in expression or statement.
At C:\temp\Invoke-MSIntuneDriverUpdate.ps1:439 char:129

• ... $DriverDownloadURL -Destination "$($TempDirectory + '\Driver Cab' + ...

•                                                       ~~~~~~~
  

Unexpected token '\Driver' in expression or statement.
At C:\temp\Invoke-MSIntuneDriverUpdate.ps1:724 char:244

• ... ath $LogDirectory '\Install-Drivers.txt') -Append" -NoNewWindow -Wait

•                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

The string is missing the terminator: '.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingEndCurlyBrace

https://github.com/MSEndpointMgr/Intune/blob/master/Security/Get-IntuneManagedDeviceBitLockerKeyPresence.ps1

The GraphAPI has had a change so there are a couple of things I had to change to fix this. Should I submit my changes below:
Line 175 should be this: $TokenExpireMins = (([datetime]$Headers["ExpiresOn"]).ToUniversalTime() - $UTCDateTime).Minutes
It wasn't converting ExpiresOn to UTC time so any comparison that happened would end up in the past.

Line 335: $BitLockerRecoveryKeys = Invoke-MSGraphOperation -Get -APIVersion "Beta" -Resource "informationProtection/bitlocker/recoveryKeys?`$select=id,createdDateTime,deviceId" -Headers $AuthenticationHeader -Verbose:$VerbosePreference

used to have the -Resource start as just bitlocker/ needed to add in informationProtection/bitlocker

After changing those it works again.

Hi, We have run this script via Intune and it copies the new Wallpaper from our Azure Storage to the Desktop, however, when I check the log it as the following error and does not automatically set our new corporate wallpaper as the default. Any thoughts? Thanks Steve

<![LOG[Failed to revert permissions for wallpaper image file. Error message: Cannot convert value "ALL RESTRICTED APPLICATION PACKAGES" to type "Security2.IdentityReference2". Error: "Some or all identity references could not be translated."]LOG]!><time="14:57:03.980+0" date="06-17-2022" component="WindowsDesktopWallpaper" context="NATIONWIDEHIRE\SteveK" type="3" thread="7268" file="">

<![LOG[Failed to revert permissions for wallpaper image file. Error message: Cannot convert value "ALL RESTRICTED APPLICATION PACKAGES" to type "Security2.IdentityReference2". Error: "Some or all identity references could not be translated."]LOG]!><time="16:59:18.345+0" date="06-17-2022" component="WindowsDesktopWallpaper" context="NATIONWIDEHIRE\SteveK" type="3" thread="6656" file="">

With the recent announcement from Microsoft that scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) will need to be updated with the new application ID. Does anyone know if this one or those in PowerShell gallery when using "Install-Script -Name Upload-WindowsAutopilotDeviceInfo"  will be updated?

I have tried to run the Set-WindowsTimeZone script on several builds of Windows 10 and 11. The only change I made to the script is the key for AzureMaps.

Showcase:

The fix

During the Enable-LocationServices function, the following code is used to let Windows apps access location:

With the value set to one, the script executes as expected:

However, by doing so, the location services are still force enabled after the script finished execution:

To get rid of this, I've edited the Disable-LocationServices function to include the LetAppsAccessLocation DWord and set it to 0:

$AppsAccessLocation = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy"
Set-RegistryValue -Path $AppsAccessLocation -Name "LetAppsAccessLocation" -Value 0 -Type "DWord"

After execution:

This is the only script output given:

Usage: /s /e /f
/s - Un-package the package in silent mode (not showing user interaction UI)
/f - Runtime switch that overrides the default target path specified in build time
/e - Prevent execution of default executable file specified in build time.
Only extracting the content files to target folder(Use this with /s /f)

The logs show it waiting for the driver extraction but nothing is extracted to the driver folder, so after the 30 second sleep it says there are no driver inf files found.
When I run the following manually, it extracts:

PS C:\Temp\SCConfigMgr\Temp\Driver Cab> .\sp99401.exe /s /e /f "C:\Temp\SCConfigMgr\Temp\Driver Files"

Hello,
Could you please let me know if the downloaded drivers are verified with checksum / hash value?

Hello I got this error via Intune Autopilot: Error message: The name "Get-AzStorageBlob" was not recognized as th name of a cmdlet, function script file or executable program. Check the spelling of the name, or if the path is correct (if included), and retry the operation.

Any idea? It looks like the module is missing.

90:
$ServerAuthenticationCertificate = Get-ChildItem -Path "Cert:\LocalMachine\My" -ErrorAction Stop | Where-Object { ($.Subject -match $NDESExternalFQDN) -and ($.Extensions["2.5.29.37"].EnhancedKeyUsages.FriendlyName.Contains("Server Authentication")) }

because the certificate can carry multiple FQDN it should be changed to:

$ServerAuthenticationCertificate = Get-ChildItem -Path "Cert:\LocalMachine\My" -ErrorAction Stop | Where-Object { ($.DnsNameList -match $NDESExternalFQDN) -and ($.Extensions["2.5.29.37"].EnhancedKeyUsages.FriendlyName.Contains("Server Authentication")) }

same for $ClientAuthenticationCertificate in line104

Hello,

Can you update this script to include the recent fixes to Autopilot Whiteglove?
Currently user-targeted apps are not deploying when using this script to add Autopilot devices.

https://oofhours.com/2020/04/20/random-news-of-the-week-new-white-glove-fix-updated-intune-module/

As per here https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-using-windows-autopilot/, we are using this script to force start bitlocker on autopilot enrolled devices.

If the device is already encrypted and a machine reset is performed, the intune process fails and the script log file contains "Group Policy settings require that a recovery password be specified before encrypting the drive".

Can this script be modified in any way to allow an already-ecrypted drive to be refreshed?

Is this any help? https://social.technet.microsoft.com/Forums/en-US/1ee8ca52-e8c6-47ad-93aa-21baa21714c0/bitlocker-powershell-8220group-policy-settings-require-that-a-recovery-password-be-specified?forum=winserverGP

thank you!

$LocationServiceStatusValue errors querying value if the value doesn't exist, causing the entire script to fail.

A command to remove an Intune Win32App would be helpfull.

Hi there,

Since Microsoft has changed the AzureAD Module to 2.0.2.180 PSIntuneAuth isn't functioning anymore, and therefore scripts that rely on this module, like Invoke-CMApplyDriverPackage and BIOSPackage when requesting packages over the CMG.

It seems PSIntuneAuth has a dependency on the AzureAD module because of some DLLs which don't exist anymore in the latest version of the AzureAD Module.

Work-A-Round for now is installing the AzureAD Module (latest) and then adding the missing DLLs from the 2.0.2.140 version. But possibly a quick fix could be to lock the PSIntuneAuth Module to the AzureAD module that does have those DLLs. Long term however, I'd guess the module (or the Apply Driver & Bios Package scripts) needs a bit of rework to get that Auth token that's being used.

Kind regards,

Kevin

A command Get-IntuneWin32AppAssignment, that returns the app assignments in a data structure that can be applied using the Add-IntuneWin32AppAssignment would help in many scenarios.

When using any command, I get

Failure to acquire access token. Response with access token was null

When using the -Promptbehavior Auto or RefreshSession switch, a window opens with the following error message:

AADSTS90002: Tenant 'token' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.

I have an active subscription.

hi,

i am running the Invoke-HPDriverUpdate.ps1 script and i am getting this log file error. Any idea if this is a cert issue on the HP side or on my side? i ran all of the steps manually (downloaded the latest HPCMSL and HPIA w/o error).

<![LOG[Unable to install HPCMSL module from repository. Error message: Authenticode issuer 'CN=HP Inc., OU=HP Cybersecurity, O=HP Inc., L=Palo Alto, S=California, C=US' of the new module 'HP.Private' with version '1.6.7' from root certificate authority 'CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US' is not matching with the authenticode issuer 'CN=HP Inc., OU=HP Cybersecurity, O=HP Inc., L=Palo Alto, S=California, C=US' of the previously-installed module 'HP.Private' with version '1.6.4' from root certificate authority 'CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US'. If you still want to install or update, use -SkipPublisherCheck parameter.]LOG]!><time="17:16:56.730+-480" date="08-22-2022" component="HPDriverUpdate" context="NT AUTHORITY\SYSTEM" type="3" thread="17680" file="">

It would be nice, to have additional parameters for Add-IntuneWin32App command, so the following attributes can be submitted:

• Category
• Information URL
• Display app in company portal
• Privacy URL
• Developer
• Owner
• Comments

Line 194:

$ClientAuthenticationKeyContainerName = $ClientAuthenticationCertificate.PrivateKey.CspKeyContainerInfo.KeyContainerName

to

$ClientAuthenticationKeyContainerName = $ClientAuthenticationCertificate.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

Hi,

There was an AzureAD module version 2.0.2.180 released yesterday. It breaks the Upload-WindowsAutopilotDeviceInfo.ps1 script because of a missing Microsoft.IdentityModel.Clients.ActiveDirectory.dll in this version. Is there an option to update the script with a required old version? And push this to powershellgallery?

Eg.
#Requires -Modules @{ ModuleName="AzureAD"; ModuleVersion="2.0.2.140" }

And maybe later have a new script based on MSGraph module?

Kind Regards,

Jeroen

Line 335 in Get-IntuneManagedDeviceBitLockerKeyPresence.ps1 should look like:

$BitLockerRecoveryKeys = Invoke-MSGraphOperation -Get -APIVersion "v1.0" -Resource "informationProtection/bitlocker/recoveryKeys?`$select=id,createdDateTime,deviceId" -Headers $AuthenticationHeader -Verbose:$VerbosePreference

On my Lenovo machine, the Invoke-MSIntuneDriverUpdate.ps1 update script seems to be failing to parse the catalog.xml file from Lenovo's website.

The console output indicates that the $global:LenovoModelXML variable is null.

You cannot call a method on a null-valued expression.
At [file path]\MSEndpointMgr\Intune\Drivers\Invoke-MSIntuneDriverUpdate.ps1:268 char:4
+             $global:LenovoModelXML.GetType().FullName | Out-Null
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

I did some debugging and the value $global:LenovoModelXML seems to be null because the script is having trouble parsing the catalog.xml file. The log shows the following:

<![LOG[Error: Cannot convert value "???<?xml version="1.0" encoding="utf-8"?>
<Products>
  <Product model="Tablet10" family="len" os="win10" build="*">
    <Queries>
      <Types>
            ...
            [truncated - goes on to show entire catalog.xml file]
            ...
</Products>" to type "System.Xml.XmlDocument". Error: "The specified node cannot be inserted as the valid child of this node, because the specified node is the wrong type."]LOG]!><time="19:34:24.399+-360" date="01-06-2022" component="DriverAutomationScript" context="[my username]" type="3" thread="18112" file="">

Could this be related to the XML file's UTF-8 encoding? Some sources seem to indicate that the ??? at the beginning of the file in the log may be a Byte Order Mark (BOM) that's causing problems with parsing.

It doesn't seem like this is specific to my environment, but I'd take any suggestions.

Thank you!

I followed the script alternative described in

https://msendpointmgr.com/2021/02/02/manage-desktop-wallpaper-with-microsoft-intune

https://github.com/MSEndpointMgr/Intune/blob/bb9643042ddd43fa6cd31b43c0294e9320d02fae/Customization/Set-WindowsDesktopWallpaper.ps1

And I would like some assistance in regards to my client’s failure to take ownership message prompted. I have pushed this script, but I am getting log errors.

I think it is important to notice this Win10 Pro (19042.1052) client’s are all Azure Active Directory Joined and managed through the Microsoft Endpoint Manager and with Windows Defender turned on.

There are no local accounts in the devices. I noticed that I needed to change the Administrator and User security groups to match the local language (Spanish MX).

I do not know if there are other language groups to be changed in the script, or If I am missing out other reasons that could be preventing the for the taking ownership command to execute correctly.

I tried to run the script by logging in physically in one device and permissions are requested in a prompt window. Images downloaded and stored but it is not replacing.

Thanks!

Pretty cool script. I get an parse error - I'm not great with PowerShell. Any ideas?
The image file is public and online, and both the store account name and account container name er correct.
Any suggestions? :)

New-AzStorageContext : Invalid URI: The hostname could not be parsed.
At \vmware-host\Shared Folders\Desktop\set-wallpapers-script-v2.ps1:68 char:30

• ... ntContext = New-AzStorageContext -StorageAccountName $StorageAccountN ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : CloseError: (:) [New-AzStorageContext], UriFormatException
  • FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Storage.Common.Cmdlet.NewAzureStorageContext

In our environment, some devices do not report the AzureADDeviceID.

After analysing the script and the affected devices, it seems, that these devices PSChildName is the AzureADDeviceID instead of the Certificate thumbprint.

Currently, code to retrieve $ServerFQDN from "Certificates/Install-MSIntuneNDESServer.ps1" retrieves the logged on user's domain to append to the computername:
$ServerFQDN = -join($env:COMPUTERNAME, ".", $env:USERDNSDOMAIN.ToLower())

To make this more universal, in case the user logged in is not in the server domain, suggest using the .NET class:
$ServerFQDN = [System.Net.Dns]::GetHostByName($env:computerName).HostName

This will make the variable correct independent of the logged on user's DNS domain.

This Module checks if AzureAD module is installed and it checks and install it . also clobber with AzureADpreview.

This code is not working in Azure Automation account because on Azure Automation sandbox they dont allow installing modules . can you please fix this behavior

Hi Nickola.
I was trying to run this script in ISE and PS 7, but I'm getting different errors depending on the used app.

ISE:
WARNING: An error occurred while attempting to retrieve an authentication token. Error message: Cannot convert argument "builder", with value: "Microsoft.Identity.Client.PublicClientApplicationBuilde
r", for "WithDesktopFeatures" to type "Microsoft.Identity.Client.PublicClientApplicationBuilder": "Cannot convert the "Microsoft.Identity.Client.PublicClientApplicationBuilder" value of type "Microso
ft.Identity.Client.PublicClientApplicationBuilder" to type "Microsoft.Identity.Client.PublicClientApplicationBuilder"."

PS 7:
WARNING: An error occurred while attempting to retrieve an authentication token. Error message: A parameter cannot be found that matches parameter name 'CreateIfMissing'.

Is there anything I can do for making it to work?
Thanks in advance!

Hello all,

I'm currently ramping up for our new IPU sequence and working through testing with our CMG. When trying to get the script working, it keeps getting to a failure when trying to pull a token. I was able to track down the sign-in logs to find the following error in AzureAD:

Application '{appId}'({appName}) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.

I have all of the variables set as recommended, including using a custom MDMApplicationIDURI (our Desktop Analytics registration took the default https://ConfigMgrService). This was not set in our last IPU project as we had not enabled Desktop Analytics at that point.

I'm struggling to resolve the above failure though, which I believe will allow the rest of the script to work. Any help/guidance is appreciated.

Could you check for either the AzureAD or AzureADPreview module as a prerequisite? I only have the AzureADPreview module installed, which would work fine.

[parameter(Mandatory=$false, HelpMessage="Specify the AppRegistration Secret for the Application ID.")]
[ValidateNotNullOrEmpty()]
[string]$AppSecret,

And change the token retrieval:

$Global:AuthToken = Get-MSIntuneAuthToken -TenantName $TenantName -ClientID $ApplicationID -ClientSecret $AppSecret

As long as the custom AppID has appropriate permissions, it SHOULD be remotable.

I have set up an App Registration and have added the following permissions:
Group.ReadWrite.All
Device.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
GroupMember.ReadWrite.All

When I use this app with the script, it still prompts for me to sign in before the hash is uploaded. Is there a way around this?
Thanks

Just tried to run the command and with or without the -GroupTag parameter we get this error.

Thanks for this - I came across your script looking to improve my own. A couple of things on my wish-list:

1. Add an option to force the script to wait after the sync until an Autopilot profile has been assigned to the device so that we know the device is ready to be deployed using Autopilot after the script has run.
2. Add an option to reboot the device using shutdown /r /t 0 to make sure we remove the "empty" Autopilot profile that would have been created if network was available at beginning of OOBE. (Only works on 1809 and later: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/troubleshooting#profile-download)

Using these two in combination would allow for even less manual work required to enroll and deploy a device.

I might come back to add this in a PR unless you beat me to it - would you consider accepting it in that case?

This causes the script to fail.

MS technet has 1.0.4 while this git repo only contains 1.0.2.

Hello,
I deployed Install-CloudLAPS_SchTask.ps1 to Windows 10 devices (different OS languages) through Intune; CloudLAPS was deployed correctly to all targeted devices, however for some devices the Status column returns Failed.
Looking at IntuneManagementExtension.log on these clients I found this error:

[PowerShell] Fail, the details are {"Version":1,"SigningCode":649,"SigningMsg":"(Success) AccountId:cea65ad1-a3f8-45a2-ae0d-56f2ebfa2f75,PolicyId:e9bc75ec-b503-4d3f-8ed6-d3bdf5750708,Type:1,Enforce: Audit. OSVersion:10.0.19044,AgentVersion:1.52.256.0. ","ExecutionMsg":"Install-CloudLAPSClient : Failed to Set ACL on Cloud LAPS Client Script. Error message: Ausnahme beim Aufrufen von \r\n\"RemoveAccessRuleAll\" mit 1 Argument(en): \"Manche oder alle Identitätsverweise konnten nicht übersetzt werden.\"\r\nIn C:\\Program Files (x86)\\Microsoft Intune Management \r\nExtension\\Policies\\Scripts\\879ed8b6-166a-419c-a7e1-ccae81b43443_e9bc75ec-b503-4d3f-8ed6-d3bdf5750708.ps1:622 Zeichen:1\r\n+ Install-CloudLAPSClient\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException\r\n + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-CloudLAPSClient\r\n \r\n\r\n"}

It seems to fail while executing the RemoveAccessRuleAll:

593 - $ACL2 = Get-ACL -Path $CloudLAPSClientScriptPath
594 - $ACE_Remove = New-Object system.security.AccessControl.FileSystemAccessRule("Users", "Read", "Allow")
595 - $ACL2.RemoveAccessRuleAll($ACE_Remove).

I suppose the problem is related to FileSystemAccessRule; The Users name (I assume it is referred to BUILTIN\Users) depends on OS language. So converting it to a language neutral:

593 - $ACL2 = Get-ACL -Path $CloudLAPSClientScriptPath
594 - $BuiltinUsers = New-Object System.Security.Principal.SecurityIdentifier -ArgumentList @([System.Security.Principal.WellKnownSidType]::BuiltinUsersSid, $null)
595 - $ACE_Remove = New-Object system.security.AccessControl.FileSystemAccessRule($BuiltinUsers, "Read", "Allow")
596 - $ACL2.RemoveAccessRuleAll($ACE_Remove)

References:

• language neutral FileSystemAccessRule (stackoverflow)
• WellKnownSidType Enum (Microsoft Docs)

What about ?

The use of a break statement after Write-Warning, when not in a loop, will case also consumers of this commandlet to exit execution. See https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_break?view=powershell-7.1 section Do not use break outside of a loop, switch, or trap

Write-Warning -Message "Failure to acquire access token. Response with access token was null"; break

Below is with context in PSIntuneAuth.psm1

# Check if access token was acquired
if ($AuthenticationResult.AccessToken -ne $null) {
    Write-Verbose -Message "Successfully acquired an access token for authentication"

    # Construct authentication hash table for holding access token and header information
    $Authentication = @{
        "Content-Type" = "application/json"
        "Authorization" = -join("Bearer ", $AuthenticationResult.AccessToken)
        "ExpiresOn" = $AuthenticationResult.ExpiresOn
    }
    # Return the authentication token
    return $Authentication
}
else {
    Write-Warning -Message "Failure to acquire access token. Response with access token was null"; break
}

This isssue can be seen using a script like this.

$Tenant = "sometenant.onmicrosoft.com"
[securestring]$password = ConvertTo-SecureString "AlwaysWr0ng!" -AsPlainText -Force
[pscredential]$credentials = New-Object System.Management.Automation.PSCredential ("[email protected]", $password)

Write-Host "Getting the AuthToken ..."
$Global:AuthToken = Get-MSIntuneAuthToken -TenantName $Tenant -Credential $credentials 
Write-Host "This will never be executed ... "

This would be better implemented with this pattern:

else {
    Write-Warning -Message "Failure to acquire access token. Response with access token was null"; 
    return $null
}