Featured posts » IAMSYSADMIN

Building a Secure LAPS Password Portal with Azure and Microsoft Graph

Posted on 07/04/202621/05/2026 by Remy Kuster

We are planning to implement Local Administrator Password Solution, but the first thing I wondered was how inconvenient it would be for support engineers and helpdesk staff to retrieve LAPS account and password. Log into the Intune portal, navigate to the devices tab, search for the device, and dig through the properties to find the LAPS password — every single time they need an admin account. That had to be faster.

So (with some help of a good friend) I built the LAPS Portal: an Azure Web App with an Azure Function App as the backend, secured by two app registrations for authentication and Graph API calls. It runs at no extra cost and works on any device. Especially useful when you’re standing next to a device in the field and need the LAPS account and password right then and there — just open the portal on your phone, type the device name, and you’re done.

Here is exactly how you can set this up.

Soft‑Deleted Entra ID Group Broke an Intune Role

Posted on 11/03/202611/03/2026 by Remy Kuster

Recently, I ran into a confusing Intune issue that looked like a permissions problem… but turned out to be something completely different and far more subtle.
If you work with Intune RBAC, custom roles and scope tags, this story may save you a lot of troubleshooting.

Create a Custom Entra ID Role to View LAPS Passwords in Microsoft Intune

Posted on 26/01/202604/02/2026 by Remy Kuster

We’re planning to roll out Windows Local Administrator Password Solution (LAPS), and a key requirement is that our helpdesk staff and workplace admins can access the LAPS password. This post shows how to view LAPS passwords in Intune without granting to much permissions. I will explain how to create a custom Microsoft Entra ID role that allows controlled visibility of LAPS passwords, and how to integrate this role seamlessly with existing Privileged Identity Management (PIM) group.

Error 0X800F0954 installing Feature on demand like Basic typing, handwriting, text-to-speech, etc.

Posted on 17/10/202421/10/2024 by Remy Kuster

Employees using our managed workstations have recently encountered issues installing Windows 11 language packs FOD. While the language packs install without a hitch, additional features such as Basic typing, handwriting, and text-to-speech fail to install across all attempted languages. In this post I will explain the cause of the problem and provide a solution.

Teams Outlook add-in missing after uninstall Classic Teams

Posted on 05/06/202405/06/2024 by Remy Kuster

Last week we were getting reports from employees that the Teams add-in in Outlook suddenly disappeared. After some research we discovered this happened because the Classic Teams was uninstalled automatically in the background by the Microsoft policy. These employees already were working with Teams 2.0. There are a few ways to get the Outlook add-in working again. In this post I will show how you can fix this, form a manual action to running a script.

Great tool to change MECM content path locations

Posted on 21/02/202421/02/2024 by Remy Kuster

Just a tip for a really useful tool. Our storage department was planning a storage migration so the content share used for applications, packages, etc in MECM (SCCM) changed. We already used a cname to point to the content share for a lot of objects but not for all of them. So I was looking for a tool to change content paths to the correct cname share in MECM.

This tool does the job! I can really recommend it!

Deploy Microsoft Project and Visio (Click-to-run)

Posted on 05/02/202405/02/2024 by Remy Kuster

I got a request at work if I could create the deployment of the latest versions (Click-to-run) of Microsoft Visio and Project and set the Monthly update channel. The deployment of the applications should be made available in the Company Portal for users that are a member of the Entra ID synced Active Directory group to which the Visio and or Project Online plan licenses are assigned to.
We still run a 32 bits MS365 Apps on devices so got a mix of 32 bits and 64 bits MS 365 apps. The deployment should automatically detect the MS 365 apps architecture and then install the correct 32 or 64 bits version of Project and / or Visio. In this post I will show you how I did this. I will also provide all the sources and scripts you need to accomplish this.

Change Intune device category with PowerShell and MS Graph Intune module

Posted on 23/01/202423/01/2024 by Remy Kuster

I tried to find a way to be able to change the category assigned to an Intune device without having to use the Intune portal. I found a lot of information about it and even working scripts. But these scripts didn’t do exactly what I wanted. So I used some scripts and information about PowerShell and the MS Graph Intune module and merged them into my script. Some results I wanted to accomplish were to change an Intune device category by using the device name and the category name not the device ID or category ID. I also build in some checks. I wrote this post about it and I hope you find it useful.

Deploy the Company Portal with Intune

Posted on 08/07/202308/07/2023 by Remy Kuster

In this post I will show you how to deploy the Company Portal App from the Microsoft Store app (new) with Intune. The company portal is an essential app you should deploy on the devices you want to manage with Intune. With the Company Portal users can securely access their company apps and data, install or reinstall applications, check if the device meets compliancy and more.

You can install the company portal on Windows 10/11, macOS, Android and iOS, but I will cover the Windows deployment in this post.