iamsysadmin

Building a Secure LAPS Password Portal with Azure and Microsoft Graph

Posted on 07/04/202607/04/2026 by Remy Kuster

We are planning to implement Local Administrator Password Solution, but the first thing I wondered was how inconvenient it would be for support engineers and helpdesk staff to retrieve LAPS account and password. Log into the Intune portal, navigate to the devices tab, search for the device, and dig through the properties to find the LAPS password — every single time they need an admin account. That had to be faster.

So (with some help of a good friend) I built the LAPS Portal: an Azure Web App with an Azure Function App as the backend, secured by two app registrations for authentication and Graph API calls. It runs at no extra cost and works on any device. Especially useful when you’re standing next to a device in the field and need the LAPS account and password right then and there — just open the portal on your phone, type the device name, and you’re done.

Here is exactly how you can set this up.

Soft‑Deleted Entra ID Group Broke an Intune Role

Posted on 11/03/202611/03/2026 by Remy Kuster

Recently, I ran into a confusing Intune issue that looked like a permissions problem… but turned out to be something completely different and far more subtle.
If you work with Intune RBAC, custom roles and scope tags, this story may save you a lot of troubleshooting.

Create a Custom Entra ID Role to View LAPS Passwords in Microsoft Intune

Posted on 26/01/202604/02/2026 by Remy Kuster

We’re planning to roll out Windows Local Administrator Password Solution (LAPS), and a key requirement is that our helpdesk staff and workplace admins can access the LAPS password. This post shows how to view LAPS passwords in Intune without granting to much permissions. I will explain how to create a custom Microsoft Entra ID role that allows controlled visibility of LAPS passwords, and how to integrate this role seamlessly with existing Privileged Identity Management (PIM) group.

Easily install and update apps on your home PC with Patch My PC Home Updater

Posted on 29/10/202429/10/2024 by Remy Kuster

My colleagues and I oversee numerous applications across our 6,000 managed workstations. Keeping these applications up-to-date is critical, as 70% of successful malware attacks target outdated vulnerabilities. Security updates occur monthly, sometimes even more frequently. Repackaging applications for managed devices is time-consuming, so we adopted Patch My PC years ago.
Patch My Pc enables us to save countless hours by automating the patching process for many applications installed on our workstations managed by Configuration manager or Intune. But what about your personal owned Windows devices?

Error 0X800F0954 installing Feature on demand like Basic typing, handwriting, text-to-speech, etc.

Posted on 17/10/202421/10/2024 by Remy Kuster

Employees using our managed workstations have recently encountered issues installing Windows 11 language packs FOD. While the language packs install without a hitch, additional features such as Basic typing, handwriting, and text-to-speech fail to install across all attempted languages. In this post I will explain the cause of the problem and provide a solution.

Postpone or enable MFA for cloud admin accounts to access Microsoft admin Portals

Posted on 07/10/202408/10/2024 by Remy Kuster

Microsoft is set to enforce Multi-Factor Authentication (MFA) on admin accounts accessing the Microsoft Entra Admin Center, Azure portal and Microsoft Intune Admin Center starting October 15, 2024.

This article will guide you through the steps to either postpone this enforcement or immediately implement MFA for your admin accounts.

Teams Outlook add-in missing after uninstall Classic Teams

Posted on 05/06/202405/06/2024 by Remy Kuster

Last week we were getting reports from employees that the Teams add-in in Outlook suddenly disappeared. After some research we discovered this happened because the Classic Teams was uninstalled automatically in the background by the Microsoft policy. These employees already were working with Teams 2.0. There are a few ways to get the Outlook add-in working again. In this post I will show how you can fix this, form a manual action to running a script.

Great tool to change MECM content path locations

Posted on 21/02/202421/02/2024 by Remy Kuster

Just a tip for a really useful tool. Our storage department was planning a storage migration so the content share used for applications, packages, etc in MECM (SCCM) changed. We already used a cname to point to the content share for a lot of objects but not for all of them. So I was looking for a tool to change content paths to the correct cname share in MECM.

This tool does the job! I can really recommend it!

Assign Intune device category based on users department property

Posted on 14/02/202405/04/2024 by Remy Kuster

macOS devices enrolled via Apple Business Manager don’t have the option to be enrolled to Intune with a group tag like Windows devices. With a group tag you can create a dynamic device group and then auto assign a scope tag to those devices. So it would be nice to think of something so macOS devices also could be added to a dynamic group and then auto assign a scope tag to those devices. In order to achieve this I created a PowerShell script with Intune Graph to auto assign a (department) category to the macOS Intune managed devices based on the users department property. You can read my post to find out how you can achieve this.

Deploy Microsoft Project and Visio (Click-to-run)

Posted on 05/02/202405/02/2024 by Remy Kuster

I got a request at work if I could create the deployment of the latest versions (Click-to-run) of Microsoft Visio and Project and set the Monthly update channel. The deployment of the applications should be made available in the Company Portal for users that are a member of the Entra ID synced Active Directory group to which the Visio and or Project Online plan licenses are assigned to.
We still run a 32 bits MS365 Apps on devices so got a mix of 32 bits and 64 bits MS 365 apps. The deployment should automatically detect the MS 365 apps architecture and then install the correct 32 or 64 bits version of Project and / or Visio. In this post I will show you how I did this. I will also provide all the sources and scripts you need to accomplish this.

Change Intune device category with PowerShell and MS Graph Intune module

Posted on 23/01/202423/01/2024 by Remy Kuster

I tried to find a way to be able to change the category assigned to an Intune device without having to use the Intune portal. I found a lot of information about it and even working scripts. But these scripts didn’t do exactly what I wanted. So I used some scripts and information about PowerShell and the MS Graph Intune module and merged them into my script. Some results I wanted to accomplish were to change an Intune device category by using the device name and the category name not the device ID or category ID. I also build in some checks. I wrote this post about it and I hope you find it useful.

Deploy the Company Portal with Intune

Posted on 08/07/202308/07/2023 by Remy Kuster

In this post I will show you how to deploy the Company Portal App from the Microsoft Store app (new) with Intune. The company portal is an essential app you should deploy on the devices you want to manage with Intune. With the Company Portal users can securely access their company apps and data, install or reinstall applications, check if the device meets compliancy and more.

You can install the company portal on Windows 10/11, macOS, Android and iOS, but I will cover the Windows deployment in this post.

Admin managed Office add-ins not shown

Posted on 03/03/202321/03/2023 by Remy Kuster

Sometimes it can happen that admin managed assigned add-ins are not shown in the 365 apps. Even though the requirements for deploying admin managed add-ins are all there. I had this issue on my Personal device but some employees on managed devices also had this issue. The add-ins were available when trying to add them in the 365 web versions of the apps but not in the local 365 apps. The message that appears when having this issue can be different. In this post I will show you the error you can get but also the solution that will fix this issue.

Fix 7-zip vulnerability help file

Posted on 20/04/202220/04/2022 by Remy Kuster

A vulnerability was found in 7-Zip 21.07 that can be exploited through the 7-Zip Help file. This post will show how to remediate this vulnerability by deleting the 7-zip.chm file. In this post I will show you 2 ways you can accomplish this:
With a MECM (SCCM) configuration item deployment and with Intune script. In this post I will remediate the 7-zip (all versions) 64 bits version with MECM, and only the 21.07 (32 and 64 bits) version with Intune.

Upgrade to MECM version 2203

Posted on 11/04/202211/04/2022 by Remy Kuster

Update 2203 for Microsoft Endpoint Configuration Manager (MECM) is now available. In this post I will show all the steps you have to take to upgrade your current MECM installation. To install MECM 2203 as an update, you must have MECM version 2010 or later installed. If you check for updates in your console and the update is not available this post also shows how to get it using the early update ring script. I personally would not install the new version when it still is in the early ring on your production environment but it would be suited for a lab or test environment. When the new version is available in the production ring usually there is an hotfix available already so that would be a good version to install on your MECM production.

Upgrade to MECM version 2107

Posted on 08/09/202109/09/2021 by Remy Kuster

Update 2107 for Microsoft Endpoint Configuration Manager (MECM) current branch is available since 20-8-2021. In this post I will show all the steps you have to take to upgrade your current MECM installation. To install MECM 2107 as an update, you must have MECM version 2002 or later installed.

Restrict signing into 365 Apps with a personal Microsoft account

Posted on 16/07/202116/07/2021 by Remy Kuster

In this post I will show you how you can restrict users signing into 365 Apps with a personal microsoft account.

Fix Microsoft 365 apps activation issue

Posted on 02/06/202102/06/2021 by Remy Kuster

I am currently testing deployment of the MS 365 apps. But we are running into the following error when users are trying to activate the MS 365 apps: Another account from your organization is already signed in on this computer. Enter a product key instead. This happens when users are already signed into older Office versions with their old User Principale Name (UPN) and it was changed was changed before the installation of the MS 365 apps. In this post I will explain the issue and show the solution to prevent this issue and to fix it when you have got the activation issue.

Software Center customization: Display custom tabs with Microsoft Edge WebView2 runtime

Posted on 22/04/202122/04/2021 by Remy Kuster

In my post about the MECM 2103 upgrade I made a list of my top 5 new features of MECM version 2103. One of these new features is Improved user experience and security with Software Center custom tabs. You can now use the Microsoft Edge WebView2 browser control in MECM version 2103 and with this control more websites should work with custom tabs without displaying script errors or security warnings. We had a lot of script errors before when using custom tabs to websites, but now these errors should be gone. In this post I will show you how you can enable custom tabs with Microsoft Edge WebView2 runtime.

Upgrade to MECM version 2103

Posted on 15/04/202108/09/2021 by Remy Kuster

Update 2103 for Microsoft Endpoint Configuration Manager (MECM) current branch is now available. In this post I will show all the steps you have to take to upgrade your current MECM installation. To install MECM 2103 as an update, you must have MECM version 1902 or later installed. If you check for updates in your console and the update is not available this post also shows how to get it using the fast ring script.

Fix configuration missing error 401 in Endpoint Manager Admin Center

Posted on 10/02/202115/05/2021 by Remy Kuster

If you have setup Co-management in your MECM console you can now manage devices from the Microsoft Endpoint Manager Admin Center. If you want to know what you can do with the Microsoft Endpoint Manager Admin Center read this walktrough from Microsoft.
In this post I will show you how you can fix the Configuration missing error if you want to use one of the following features when selecting a device that is Co-managed: Resource explorer (preview), Client details (preview), Timeline (preview), Collections (preview), Applications (preview), CMPivot (preview) and Scripts (preview). In this post i will be using MECM version 2010.

Set custom Teams backgrounds with Powershell

Posted on 07/02/202115/05/2021 by Remy Kuster

I got a request at work that it would be nice if users already have got some of the companies custom teams background that they can select as their background in a meeting. They wouldn’t have to upload the images themselves but they would already be in teams to select. It also should be easy to add new custom backgrounds if needed. So I made a powershell script with a colleague of mine that would do this. In this post I will show you how this script works and you can use it yourself.

Setting up Co-management MECM (SCCM) Part 1

Posted on 03/01/202115/05/2021 by Remy Kuster

A lot of company’s are still managing there devices on premise with domain joined devices and with MECM (SCCM). But with the pandemic most employees are working at home on there personal device or on a domain joined mobile device. Managing the domain joined devices that are being used at home is quite challenging. Off course you can deploy your applications and windows update with MECM and an active vpn connection.
But still how often do employees connect with the vpn application? If they don’t the device will become unsecure because of missing windows updates and missing application updates. You want these kind of devices to be updated and managed even without an active vpn connection. To be able to do this we can setup co-management in MECM. In this post I will show you how to setup co-management in MECM 2006.

Issues after Google Chrome enterprise upgrade

Posted on 11/11/202006/04/2021 by Remy Kuster

I recently updated Google Chrome Enterprise version 84.0.4147.125 x64 to version 86.0.4240.111 x64. After the upgrade some users had issues. Users that had set Chrome as their default browser before the upgrade could not open URL’s anymore. Some shortcuts that we created to open a specific URL with Chrome by default even if the default browsers wasn’t Chrome didn’t work anymore. In this post I will explain what happened and how you can fix the issues if your would run into them.

Uninstall Adobe Flash with KB4577586

Posted on 29/10/202006/04/2021 by Remy Kuster

Microsoft has released a Windows update (KB4577568) that removes Adobe’s Flash Player before it reaches end of support on December 31, 2020. However, it isn’t rolling out via Windows Server Update Service (WSUS) yet, and the update needs to be downloaded and installed from the Microsoft Update Catalog. It will become available to WSUS in early 2021. In this post I will show how you can Import this update in WSUS and deploy it with MECM (Software Update Point).

Create structure in your MECM (SCCM) console !UPDATED!

Posted on 25/10/202020/09/2021 by Remy Kuster

The MECM console is the place where you do all of your operational tasks. Deploying windows OS and updates, creating and deploying applications, creating user and device collections, task sequences, running scripts, monitoring and much more.
In order to keep a good overview it is important to create structure within your MECM (SCCM) console, so everyone knows where to find what.
This post will describe a way to structure the MECM console.

Right Click Tools for MECM (SCCM)

Posted on 12/10/202006/04/2021 by Remy Kuster

You can do a lot of tasks with MECM, but the one thing that MECM doesn’t have are some good device management remote actions. MECM has got client notification that allows you to perform client actions on a collection or on a single device, but still the amount of actions and feedback of these actions are not really that great. I have been using an other great MECM 3rd party tool called RECAST Right Click Tools (RCT) and it is available as a free version or a payed Enterprise version. Off course the Enterprise version has got more actions/tools available but still the free version really makes the life of a system administrator or it support employee much easier.

Start menu not working: Critical Error

Posted on 28/09/202006/04/2021 by Remy Kuster

After installing the Cumulative Update KB4570333 released the 8th of September (W10 1809) we got some calls from users that the start menu didn’t work anymore. There also was a Critical Error shown when clicking the start menu button. In this post I will show you how to fix this error.

Show specific scripts to MECM (SCCM) console users

Posted on 21/09/202006/04/2021 by Remy Kuster

A few days ago one of my colleagues asked me if we couldn’t let the IT helpdesk colleagues run scripts from the console by themselves. Great idea of course because a script can fix an issue and help a user really quick and the user will be helped a lot faster if the helpdesk employees can run the script(s) by themselves instead of having to call a colleague of a different IT team first who can run the scripts. But the console can have a lot of scripts, perhaps you don’t want the helpdesk to be able to run all the created scripts but only a selection of them. So in this post I will show you how to allow a specific script or scripts to be run by the helpdesk employees.

Install Microsoft Teams with Microsoft Endpoint Configuration Manager

Posted on 07/09/202015/05/2021 by Remy Kuster

Because of the world wide epidemic of COVID-19 a lot of employees are working at home. The last few months the usage of online/cloud meeting platforms has exponentially grown and because of this a lot of companies had to implement MS teams much faster then planned. In order to use teams you can use the online teams or install the Teams app, you don’t need admin rights in order to install it on a computer.
So an employee could go and use a browser to use the teams online or install the Teams app on his or hers companies computer, but it would be even better when the employees won’t have to install it at all, and could just use the desktop Teams app when using the companies computers. In this case the best thing to do is to deploy the Teams desktop client. So in this post I will show how to Install Microsoft Teams with Microsoft Endpoint Configuration Manager.

Microsoft 365 Apps update channels

Posted on 18/08/202006/04/2021 by Remy Kuster

A few months ago Microsoft changed the names of the Microsoft 365 Apps update channels (May 2020) and the titles of the Microsoft 365 Apps update channels monthly feature/security updates (July 2020). In this post I will show you what impact this could have on your active Office 365 environment in MECM (SCCM).

Deploy Windows 10 build as a feature update

Posted on 18/07/201915/04/2022 by Remy Kuster

With MECM (SCCM) you can deploy a new Windows 10 build in two ways. You can deploy Windows 10 build as a feature update (Servicing) or you can create a task sequence (in-place-upgrade).

In my opinion with a task sequense you can easy create pre and post actions based on variables but the time that a user can’t use the computer (downtime) can be quiet long.

Deploying the feature update with servicing is much more user friendly, because there is almost no downtime for the user. Creating pre and post actions can be done but are not easy and can’t be based on variables like task sequence steps can.