10 days and 10 tips for Microsoft Tunnel Gateway: Day 4

April 3, 2026April 1, 2026 by Martin Bengtsson

Post-Installation Health Check

The Microsoft Intune admin center shows basic tunnel server status, but when I’m SSH’d into a server troubleshooting, I need answers faster.

This health check script shows everything in seconds. I run it right after installation to verify everything works, and whenever I’m troubleshooting to see what’s broken.

GitHub Repository: https://github.com/imabdk/Microsoft-Tunnel-Gateway

What it checks:

Service and container status (mst-cli health + Docker/Podman container validation)
Configuration files and sync status from logs
Certificate expiration (warns if under 30 days)
Recent errors in logs (last 30 minutes of mstunnel-agent, mstunnel_monitor, ocserv)
Server configuration (routes, DNS, ports from admin-settings.json)
Listening ports

10 days and 10 tips for Microsoft Tunnel Gateway: Day 3

March 27, 2026March 11, 2026 by Martin Bengtsson

Automate Your Prerequisites

If you’re deploying multiple tunnel servers or rebuilding environments, save yourself the hassle and automate it. I’ve created shell scripts to handle all the prerequisites and configuration steps.

Available Scripts

GitHub Repository: https://github.com/imabdk/Microsoft-Tunnel-Gateway

setup-prerequisites-ubuntu.sh – System prerequisites and package installation (Docker, kernel modules, jq)
setup-auditing-ubuntu.sh – Configure audit logging for security compliance
setup-firewall-ubuntu.sh – Firewall configuration and rules setup

10 days and 10 tips for Microsoft Tunnel Gateway: Day 2

March 8, 2026 by Martin Bengtsson

Expand Your Readiness Checks

The official readiness script is a good start, but it has a blind spot in regards to checking for outbound connectivity: redirect chains. When an endpoint redirects to another domain that’s blocked, the script just throws “Error: not expected” without telling you what’s actually being blocked.

That’s why I built a custom diagnostic tool – to trace those redirect chains and tell you exactly which domain is causing the problem.

10 days and 10 tips for Microsoft Tunnel Gateway: Day 1

March 8, 2026March 6, 2026 by Martin Bengtsson

Run the Readiness Tool

Always run mst-readiness.sh before installation
Validates OS, network, firewall, and system requirements
Saves you from troubleshooting issues that could’ve been caught upfront
Download from directly from Microsoft: https://aka.ms/microsofttunnelready

Template for the Win32 PowerShell script installer in Microsoft Intune

March 8, 2026February 14, 2026 by Martin Bengtsson

Introduction

Microsoft Intune now supports using a PowerShell script as the installer for Win32 apps. Instead of specifying a command line, you upload a script. This gives admins more flexibility when deploying applications.

I’ve created a template (install and uninstall) that can serve as inspiration, but also demonstrates how this enables you to:

• Install or uninstall an application (MSI or EXE)
• Copy or remove files to or from any directory
• Add or remove registry settings

All as part of the same deployment. The script handles both SYSTEM and current user context – and when running as SYSTEM, it applies file and HKCU registry changes to all existing user profiles on the device.

The template is available on GitHub: imabdk/Intune-Win32-PowerShell-Script-Installer-Template 🙂

Configure default fonts in Outlook (classic) with PowerShell and Microsoft Intune

February 14, 2026January 27, 2026 by Martin Bengtsson

Introduction

In my previous post, I shared a PowerShell template for managing registry settings via Microsoft Intune Remediations. The script handles both HKCU and HKLM, supports all registry types, and works on Microsoft Entra ID and hybrid joined devices.

But what’s a good template without a real-world example?

If you manage Windows devices, you’ve probably had this request:

“Can we standardize the email font across the company?”
“Everyone uses different fonts and sizes – it looks unprofessional”
“New employees should start with the correct font settings”

Default fonts in Outlook are stored in the registry as binary values – not exactly something you can deploy with a settings catalog policy. Microsoft Intune doesn’t provide a native way to configure this.

This post shows how to solve that problem using the registry management template. The configuration:

Sets default fonts for composing, replying, and plain text emails
Applies to all user profiles on the device
Deploys via Intune Remediations

Important: This only works for Outlook (classic) – the desktop app from Microsoft 365 Apps. The new Outlook for Windows stores settings in the cloud and cannot be configured via registry.

The only PowerShell script you need to manage registry on Windows devices using Microsoft Intune

March 6, 2026January 26, 2026 by Martin Bengtsson

Introduction

If you manage Windows devices with Microsoft Intune, this is the only registry script you’ll ever need.

You need to configure a registry setting that isn’t in Settings Catalog. Maybe it’s a binary value like Outlook font preferences with no CSP support. Maybe you need to delete leftover registry keys from a legacy app. And you need it applied to all user profiles on shared devices – not just one.

Remediations in Intune can help, but writing scripts that handle all these scenarios correctly takes time.

This PowerShell template handles the hard parts:

Runs as SYSTEM by design – manages both user and machine registry from one script, works in environments with strict AppLocker or WDAC policies, and avoids Constrained Language Mode restrictions
Reaches HKCU settings for all users by enumerating SIDs in HKU
Supports both traditional AD and Microsoft Entra ID joined devices
Handles all registry types – String, DWord, Binary, MultiString
Three actions: Set, Delete, and DeleteKey

Single template for both detection and remediation. Modify the configuration section, save two copies, upload to Intune. Done.

How To Get There From Here: Monitor Passkey and Phishing-resistant MFA User Adoption with PowerShell

January 19, 2026January 19, 2026 by Martin Bengtsson

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys and phishing-resistant MFA in Microsoft Entra ID. In the previous post, we implemented break glass accounts with passkey (FIDO2) authentication.

This post covers the next practical step: Monitoring passkey adoption across your organization.

Microsoft Entra ID provides authentication method reports in the portal, but tracking passkey adoption at scale isn’t straightforward. While you can view individual user registration details, identifying users who haven’t enrolled passkeys requires manual work – exporting data, filtering through lists, and piecing together adoption statistics across your organization.

This post shares a PowerShell script that queries Microsoft Graph API to check authentication method enrollment at scale. The script can track Microsoft Authenticator, Passkey (FIDO2), or both methods across all users or specific groups. It generates adoption statistics and identifies users who haven’t enrolled the required methods.

Yet again, we’ll show you How To Get There From Here. 🔒

How To Get There From Here: Break Glass Account With Phishing-resistant MFA in Entra ID

January 19, 2026January 17, 2026 by Martin Bengtsson

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys in Microsoft Entra ID – what they are, how they work, and how to get started with phishing-resistant and passwordless authentication.

As Conditional Access policies become more complex and phishing-resistant authentication becomes a requirement, break glass accounts need to be configured correctly. An improperly configured emergency access account won’t help during an actual lockout scenario.

This post documents how to set up a break glass account with passkey (FIDO2) authentication from scratch. Microsoft recommends phishing-resistant MFA for emergency access accounts, and we’ll walk through the complete implementation in our own tenant.

Each step is covered, including TAP configuration, passkey registration, SSPR handling, and Conditional Access exclusions. The process follows Microsoft’s official guidance while showing the practical details you’ll encounter when building this yourself.

This walkthrough is a collaboration between Martin Bengtsson and Christian Frohn, documenting the implementation in our tenant.

So when your Conditional Access policies say “you can’t get there from here,” we’ll show you How To Get There From Here.

Create Microsoft Intune Remote Help RBAC Roles and Groups automatically with PowerShell

December 23, 2025December 23, 2025 by Martin Bengtsson

Introduction

Microsoft Intune Remote Help uses role-based access control (RBAC). Intune includes built-in roles like Help Desk Operator and School Administrator that provide Remote Help access.

The Help Desk Operator and School Administrator roles include full Remote Help permissions along with additional rights, such as wiping or retiring devices and assigning apps or policies. If an account with these roles is compromised, the attacker gains access beyond remote assistance capabilities.

Microsoft recommends custom RBAC roles to implement least-privilege access. Creating them manually in the Intune admin center requires defining permissions, creating the role, setting up security groups, and assigning scope – typically around 30 minutes for all four roles given no mistakes are made.

This PowerShell script creates four custom roles and corresponding security groups in under 10 seconds:

Level 1 Support – View-only access
Level 2 Support – Full control (without elevation)
Senior Techs – Elevation permission (for UAC/admin actions)
Device Teams – Unattended access (for Android dedicated devices)

Each role contains only the Remote Help permissions required for its tier and no additional device management permissions.