Remote Help is included in E3 and E5 from July 1 – here’s my updated PowerShell script to roll out the RBAC

June 8, 2026June 8, 2026 by Martin Bengtsson

Introduction

From July 1, Microsoft is rolling out Remote Help as part of Microsoft 365 E3 and E5 – no separate add-on required. That means a lot of organizations need to set up the RBAC properly, rather than leaning on broad built-in roles like Help Desk Operator or School Administrator that grant far more than remote assistance.

Microsoft recommends custom RBAC roles to implement least-privilege access.

Back in December I published a PowerShell script that creates four custom Remote Help RBAC roles and matching Entra ID security groups in under 10 seconds. I have updated it with two additions:

-AssignRoles switch that binds each role to its paired group automatically, with scope set to All devices and All users. No more clicking through the Intune portal to assign four roles by hand
Multi Admin Approval (MAA) awareness for both role and assignment operations, so the script behaves correctly on tenants where RBAC changes are gated by an approval policy

10 days and 10 tips for Microsoft Tunnel Gateway: Day 6

June 1, 2026May 31, 2026 by Martin Bengtsson

Free TLS Certificates with Let’s Encrypt

Microsoft Tunnel requires a TLS certificate that is trusted by the connecting clients. It doesn’t have to be publicly trusted – an internal PKI cert works fine, as long as you deploy the root CA chain to devices via an Microsoft Intune Trusted Certificate profile.

In a lab, that’s extra work you can skip. Let’s Encrypt is free, already trusted by every iOS and Android device, and you can have a cert issued in under 10 minutes.

Lab/testing use only. Let’s Encrypt certs expire after 90 days and with this approach renewal requires manual DNS interaction each time. Don’t use this approach in production. Use internal PKI or a commercial cert with automated renewal instead.

Prerequisites:

A public DNS zone you control, with the ability to create/modify TXT records
Sudo access on the Ubuntu Tunnel server
Outbound internet access from the server (to reach Let’s Encrypt and apt repos)
An email address for Let’s Encrypt expiry notifications

10 days and 10 tips for Microsoft Tunnel Gateway: Day 5

April 23, 2026 by Martin Bengtsson

When Tunnel Updates Fail

Updates to the Microsoft Tunnel containers can apparently fail mid-process. I’ve seen this on three different deployments where the automatic update pulled container images with SHA256 hashes that weren’t documented anywhere in Microsoft’s official release notes.

This left the agent container endlessly restarting. Here’s how I identified and fixed it without reinstalling.

Note: I’ve only encountered this on Ubuntu Server with Docker containers. I don’t currently work with Red Hat/Podman, so I can’t speak to that environment.

10 days and 10 tips for Microsoft Tunnel Gateway: Day 4

April 3, 2026April 1, 2026 by Martin Bengtsson

Post-Installation Health Check

The Microsoft Intune admin center shows basic tunnel server status, but when I’m SSH’d into a server troubleshooting, I need answers faster.

This health check script shows everything in seconds. I run it right after installation to verify everything works, and whenever I’m troubleshooting to see what’s broken.

GitHub Repository: https://github.com/imabdk/Microsoft-Tunnel-Gateway

What it checks:

Service and container status (mst-cli health + Docker/Podman container validation)
Configuration files and sync status from logs
Certificate expiration (warns if under 30 days)
Recent errors in logs (last 30 minutes of mstunnel-agent, mstunnel_monitor, ocserv)
Server configuration (routes, DNS, ports from admin-settings.json)
Listening ports

10 days and 10 tips for Microsoft Tunnel Gateway: Day 3

March 27, 2026March 11, 2026 by Martin Bengtsson

Automate Your Prerequisites

If you’re deploying multiple tunnel servers or rebuilding environments, save yourself the hassle and automate it. I’ve created shell scripts to handle all the prerequisites and configuration steps.

Available Scripts

GitHub Repository: https://github.com/imabdk/Microsoft-Tunnel-Gateway

setup-prerequisites-ubuntu.sh – System prerequisites and package installation (Docker, kernel modules, jq)
setup-auditing-ubuntu.sh – Configure audit logging for security compliance
setup-firewall-ubuntu.sh – Firewall configuration and rules setup

10 days and 10 tips for Microsoft Tunnel Gateway: Day 2

March 8, 2026 by Martin Bengtsson

Expand Your Readiness Checks

The official readiness script is a good start, but it has a blind spot in regards to checking for outbound connectivity: redirect chains. When an endpoint redirects to another domain that’s blocked, the script just throws “Error: not expected” without telling you what’s actually being blocked.

That’s why I built a custom diagnostic tool – to trace those redirect chains and tell you exactly which domain is causing the problem.

10 days and 10 tips for Microsoft Tunnel Gateway: Day 1

March 8, 2026March 6, 2026 by Martin Bengtsson

Run the Readiness Tool

Always run mst-readiness.sh before installation
Validates OS, network, firewall, and system requirements
Saves you from troubleshooting issues that could’ve been caught upfront
Download from directly from Microsoft: https://aka.ms/microsofttunnelready

Template for the Win32 PowerShell script installer in Microsoft Intune

March 8, 2026February 14, 2026 by Martin Bengtsson

Introduction

Microsoft Intune now supports using a PowerShell script as the installer for Win32 apps. Instead of specifying a command line, you upload a script. This gives admins more flexibility when deploying applications.

I’ve created a template (install and uninstall) that can serve as inspiration, but also demonstrates how this enables you to:

• Install or uninstall an application (MSI or EXE)
• Copy or remove files to or from any directory
• Add or remove registry settings

All as part of the same deployment. The script handles both SYSTEM and current user context – and when running as SYSTEM, it applies file and HKCU registry changes to all existing user profiles on the device.

The template is available on GitHub: imabdk/Intune-Win32-PowerShell-Script-Installer-Template 🙂

Configure default fonts in Outlook (classic) with PowerShell and Microsoft Intune

February 14, 2026January 27, 2026 by Martin Bengtsson

Introduction

In my previous post, I shared a PowerShell template for managing registry settings via Microsoft Intune Remediations. The script handles both HKCU and HKLM, supports all registry types, and works on Microsoft Entra ID and hybrid joined devices.

But what’s a good template without a real-world example?

If you manage Windows devices, you’ve probably had this request:

“Can we standardize the email font across the company?”
“Everyone uses different fonts and sizes – it looks unprofessional”
“New employees should start with the correct font settings”

Default fonts in Outlook are stored in the registry as binary values – not exactly something you can deploy with a settings catalog policy. Microsoft Intune doesn’t provide a native way to configure this.

This post shows how to solve that problem using the registry management template. The configuration:

Sets default fonts for composing, replying, and plain text emails
Applies to all user profiles on the device
Deploys via Intune Remediations

Important: This only works for Outlook (classic) – the desktop app from Microsoft 365 Apps. The new Outlook for Windows stores settings in the cloud and cannot be configured via registry.

The only PowerShell script you need to manage registry on Windows devices using Microsoft Intune

March 6, 2026January 26, 2026 by Martin Bengtsson

Introduction

If you manage Windows devices with Microsoft Intune, this is the only registry script you’ll ever need.

You need to configure a registry setting that isn’t in Settings Catalog. Maybe it’s a binary value like Outlook font preferences with no CSP support. Maybe you need to delete leftover registry keys from a legacy app. And you need it applied to all user profiles on shared devices – not just one.

Remediations in Intune can help, but writing scripts that handle all these scenarios correctly takes time.

This PowerShell template handles the hard parts:

Runs as SYSTEM by design – manages both user and machine registry from one script, works in environments with strict AppLocker or WDAC policies, and avoids Constrained Language Mode restrictions
Reaches HKCU settings for all users by enumerating SIDs in HKU
Supports both traditional AD and Microsoft Entra ID joined devices
Handles all registry types – String, DWord, Binary, MultiString
Three actions: Set, Delete, and DeleteKey

Single template for both detection and remediation. Modify the configuration section, save two copies, upload to Intune. Done.