Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft Intune Cookbook

You're reading from   Microsoft Intune Cookbook Over 75 recipes for configuring, managing, and automating your identities, apps, and endpoint devices

Arrow left icon
Product type Paperback
Published in Jan 2024
Publisher Packt
ISBN-13 9781805126546
Length 574 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Andrew Taylor Andrew Taylor
Author Profile Icon Andrew Taylor
Andrew Taylor
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Chapter 1: Getting Started with Microsoft Intune FREE CHAPTER 2. Chapter 2: Configuring Your New Tenant for Windows Devices 3. Chapter 3: Securing Your Windows Devices with Security Policies 4. Chapter 4: Setting Up Enrollment and Updates for Windows 5. Chapter 5: Android Device Management 6. Chapter 6: iOS Device Management 7. Chapter 7: macOS Device Management 8. Chapter 8: Setting Up Your Compliance Policies 9. Chapter 9: Monitoring Your New Environment 10. Chapter 10: Looking at Reporting 11. Chapter 11: Packaging Your Windows Applications 12. Chapter 12: PowerShell Scripting across Intune 13. Chapter 13: Tenant Administration 14. Chapter 14: Looking at Intune Suite 15. Index 16. Other Books You May Enjoy

Configuring Entra ID ESR

Now, we will look at Enterprise State Roaming (ESR), which automatically backs up some device user preferences into Azure for a more seamless experience when moving between Windows devices.

How to do it…

The other device setting within Entra ID is ESR. This is similar to the older User Experience Virtualization (UE-V), which can be found in the Microsoft Desktop Optimization Pack (MDOP).

It backs up certain user settings within Intune and Edge and backs them up to Azure Storage (outside the subscription and without cost).

The following Windows settings are currently backed up:

  • Keyboard: Turn on toggle keys (off by default)
  • Date, time, and region: Country/region
  • Date, time, and region: Region format (locale)
  • Language: Language profile
  • Keyboard: List of keyboards
  • Mouse: Primary mouse button
  • Passwords: Web credentials
  • Pen: Pen handedness
  • Touchpad: Scrolling direction
  • Wi-Fi: Wi-Fi profiles (only WPA)

The following settings are backed up on Edge:

  • Favorites
  • Passwords
  • Addresses and more (form-fill)
  • Collections
  • Settings
  • Extensions
  • Open tabs (available in Microsoft Edge version 88 or later)
  • History (available in Microsoft Edge version 88 or later)

To enable ESR, follow these steps:

  1. Navigate to Entra ID | Devices | Overview | Device settings and click on Enterprise State Roaming.
  2. Change the Users may sync settings and app data across devices setting to All or Selected. As there is no cost regarding this, it is recommended to set it to All.
  3. Then, click Save.

You have now enabled ESR across your tenant.

Automating it

This one is slightly more complicated as it does not work with the Graph API; instead, you have to access the more hidden Azure Identity and Access Management (IAM) API:

  1. Set the necessary variables:
    ##Set to 2 to disable or 0 to enable
    $esrstatus = 0
    $tenantid = "Your-Tenant-ID"
  2. Create the JSON. If we had set it to a select user group, it would be populated within the syncSelectedUsers array. As we are doing an all-or-nothing, we will simply leave the array blank:
    $json = @"
    {
        "isAdminConfigurable": true,
        "isRoamingSettingChanged": true,
        "syncSelectedUsers": [],
        "syncSetting": $esrstatus
    }
    "@
  3. Set the URL (note the non-Graph setup of it):
    $url = "https://main.iam.ad.ext.azure.com/api/RoamingSettings?ESRV2=true"
  4. Now, create the access token and headers.
  5. When you run this section, you will be presented with a hyperlink and some code that you must enter to authenticate. Click the link, enter the code, and then accept the numerous prompts.
  6. Here, we are using Invoke-Restmethod to send a POST request to the oauth2 Microsoft login URL for the tenant and requesting a token for the Entra ID IAM client ID.

    As this one requires user interaction, we will add a while loop to wait until the request has been requested and approved within the web browser. If no activity is detected, the script will stop with an error code:

    ##Create Access Token
    $clientid = "1950a258-227b-4e31-a9cf-717495945fc2"
    $response = Invoke-RestMethod -Method POST -UseBasicParsing -Uri "https://login.microsoftonline.com/$tenantId/oauth2/devicecode" -ContentType "application/x-www-form-urlencoded" -Body "resource=https%3A%2F%2Fmain.iam.ad.ext.azure.com&client_id=$clientId"
    Write-Output $response.message
    $waited = 0
    while($true){
        try{
            $authResponse = Invoke-RestMethod -uri "https://login.microsoftonline.com/$tenantId/oauth2/token" -ContentType "application/x-www-form-urlencoded" -Method POST -Body "grant_type=device_code&resource=https%3A%2F%2Fmain.iam.ad.ext.azure.com&code=$($response.device_code)&client_id=$clientId" -ErrorAction Stop
            $refreshToken = $authResponse.refresh_token
            break
        }catch{
            if($waited -gt 300){
                Write-Verbose "No valid login detected within 5 minutes"
                Throw
            }
            #try again
            Start-Sleep -s 5
            $waited += 5
        }
    }
    $response = (Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body "resource=74658136-14ec-4630-ad9b-26e160ff0fc6&grant_type=refresh_token&refresh_token=$refreshToken&client_id=$clientId&scope=openid" -ErrorAction Stop)
        $resourceToken = $response.access_token
  7. The previous command has given us our access token, which we can then add to the header to call our webrequest. The authorization section always needs to start with "Bearer" and then the access token (in this case, $resourceToken):
    $Headers = @{
        "Authorization" = "Bearer " + $resourceToken
        "Content-type"  = "application/json"
        "X-Requested-With" = "XMLHttpRequest"
        "x-ms-client-request-id" = [guid]::NewGuid()
        "x-ms-correlation-id" = [guid]::NewGuid()
    }
  8. Finally, send the request to enable or disable ESR:
    Invoke-RestMethod -Uri $url -Headers $Headers -Method PUT -Body $json -ErrorAction Stop

This script has automated enabling ESR using the IAM API.

You have been reading a chapter from
Microsoft Intune Cookbook
Published in: Jan 2024
Publisher: Packt
ISBN-13: 9781805126546
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image