Template for the Win32 PowerShell script installer in Microsoft Intune

March 8, 2026February 14, 2026 by Martin Bengtsson

Introduction

Microsoft Intune now supports using a PowerShell script as the installer for Win32 apps. Instead of specifying a command line, you upload a script. This gives admins more flexibility when deploying applications.

I’ve created a template (install and uninstall) that can serve as inspiration, but also demonstrates how this enables you to:

• Install or uninstall an application (MSI or EXE)
• Copy or remove files to or from any directory
• Add or remove registry settings

All as part of the same deployment. The script handles both SYSTEM and current user context – and when running as SYSTEM, it applies file and HKCU registry changes to all existing user profiles on the device.

The template is available on GitHub: imabdk/Intune-Win32-PowerShell-Script-Installer-Template 🙂

Configure default fonts in Outlook (classic) with PowerShell and Microsoft Intune

February 14, 2026January 27, 2026 by Martin Bengtsson

Introduction

In my previous post, I shared a PowerShell template for managing registry settings via Microsoft Intune Remediations. The script handles both HKCU and HKLM, supports all registry types, and works on Microsoft Entra ID and hybrid joined devices.

But what’s a good template without a real-world example?

If you manage Windows devices, you’ve probably had this request:

“Can we standardize the email font across the company?”
“Everyone uses different fonts and sizes – it looks unprofessional”
“New employees should start with the correct font settings”

Default fonts in Outlook are stored in the registry as binary values – not exactly something you can deploy with a settings catalog policy. Microsoft Intune doesn’t provide a native way to configure this.

This post shows how to solve that problem using the registry management template. The configuration:

Sets default fonts for composing, replying, and plain text emails
Applies to all user profiles on the device
Deploys via Intune Remediations

Important: This only works for Outlook (classic) – the desktop app from Microsoft 365 Apps. The new Outlook for Windows stores settings in the cloud and cannot be configured via registry.

The only PowerShell script you need to manage registry on Windows devices using Microsoft Intune

March 6, 2026January 26, 2026 by Martin Bengtsson

Introduction

If you manage Windows devices with Microsoft Intune, this is the only registry script you’ll ever need.

You need to configure a registry setting that isn’t in Settings Catalog. Maybe it’s a binary value like Outlook font preferences with no CSP support. Maybe you need to delete leftover registry keys from a legacy app. And you need it applied to all user profiles on shared devices – not just one.

Remediations in Intune can help, but writing scripts that handle all these scenarios correctly takes time.

This PowerShell template handles the hard parts:

Runs as SYSTEM by design – manages both user and machine registry from one script, works in environments with strict AppLocker or WDAC policies, and avoids Constrained Language Mode restrictions
Reaches HKCU settings for all users by enumerating SIDs in HKU
Supports both traditional AD and Microsoft Entra ID joined devices
Handles all registry types – String, DWord, Binary, MultiString
Three actions: Set, Delete, and DeleteKey

Single template for both detection and remediation. Modify the configuration section, save two copies, upload to Intune. Done.

Create Microsoft Intune Remote Help RBAC Roles and Groups automatically with PowerShell

December 23, 2025December 23, 2025 by Martin Bengtsson

Introduction

Microsoft Intune Remote Help uses role-based access control (RBAC). Intune includes built-in roles like Help Desk Operator and School Administrator that provide Remote Help access.

The Help Desk Operator and School Administrator roles include full Remote Help permissions along with additional rights, such as wiping or retiring devices and assigning apps or policies. If an account with these roles is compromised, the attacker gains access beyond remote assistance capabilities.

Microsoft recommends custom RBAC roles to implement least-privilege access. Creating them manually in the Intune admin center requires defining permissions, creating the role, setting up security groups, and assigning scope – typically around 30 minutes for all four roles given no mistakes are made.

This PowerShell script creates four custom roles and corresponding security groups in under 10 seconds:

Level 1 Support – View-only access
Level 2 Support – Full control (without elevation)
Senior Techs – Elevation permission (for UAC/admin actions)
Device Teams – Unattended access (for Android dedicated devices)

Each role contains only the Remote Help permissions required for its tier and no additional device management permissions.

Deploying and configuring uBlock Origin Lite with PowerShell and Microsoft Intune

December 8, 2025December 7, 2025 by Martin Bengtsson

Introduction

Ad blocking is often dismissed as a convenience feature for users tired of intrusive banners and pop-ups. But in 2025 – almost 2026 – it’s time to reframe the conversation: ad blocking is a fundamental security control every organization should implement.

Malvertising has become an extremely effective attack vector. Threat actors exploit legitimate ad networks to deliver malware, phishing sites, and exploit kits – even on trusted websites. Tracking scripts in ads also collect sensitive data, creating privacy and compliance risks.

The good news? Ad blocking is free, proven security you can deploy today. Installing uBlock Origin Lite is easy. Configuring it at scale for an enterprise? That’s the challenging part. In this post, I’ll show you how I solved that challenge with a comprehensive PowerShell script that centrally configures uBlock Origin Lite across managed browsers using Microsoft Intune.

Notifying users on Windows when an iOS update is required – Microsoft Intune, Automation Account and Toast Notification Script combined

November 12, 2025November 12, 2025 by Martin Bengtsson

Introduction

Your users carry iPhones but spend most of their workday on Windows devices. When Apple releases an iOS update, Intune can flag non-compliance – but the built-in notifications on iOS are often overlooked and don’t have the same visibility or urgency as alerts on a user’s primary work device.

The solution: cross-platform automation. By combining two PowerShell solutions – one that monitors iOS versions in Microsoft Intune and maintains dynamic user groups, and another that delivers branded Windows toast notifications – you can automatically alert Windows users when their iOS devices need updating.

BIG ANNOUNCEMENT: Toast Notification Script v3 is here!

November 6, 2025November 6, 2025 by Martin Bengtsson

Introduction

I’ve completely REWRITTEN my popular Toast Notification Script from the ground up – now exclusively for Microsoft Intune!

What’s new:

Built specifically for Intune Remediations
Enhanced logging & smart detection logic
Personalized user greetings
Multiple notification scenarios

Perfect for:

Weekly reminders/messages
Pending reboot notifications
Company Portal integration
Custom organizational messages

Ready to deploy? Get it now: https://github.com/imabdk/Toast-Notification-Script

Temp. documentation down below. 🙂

Building a Break-Glass Local Admin Solution for Windows 11 using Intune and Defender for Endpoint

November 5, 2025November 4, 2025 by Martin Bengtsson

Introduction

I’ve been in situations where I needed local admin access to a device, and I needed it *now*. Users couldn’t log in, LAPS wouldn’t retrieve passwords, or domain connectivity and trust had failed. You’re staring at a locked device with no way in, and waiting isn’t an option.

Modern endpoint management is fantastic until it isn’t. We’ve eliminated persistent local admin accounts, embraced cloud authentication, and deployed LAPS – all best practices. But what happens when all of those fail simultaneously?

This post documents the break-glass solution I built for those “need it now” scenarios: a remotely deployable emergency local administrator account using Intune Remediations, with monitoring through Microsoft Defender for Endpoint.

💡 By default, remediations run on a schedule. However, you can run remediations on-demand in Intune, which triggers the scripts to execute instantly (almost) on targeted devices via Windows Notification Service (WNS). This is critical for true emergencies when you can’t wait.

Blocking SSH binaries with AppLocker and Port 22 in Windows Firewall Using Microsoft Intune

October 6, 2025 by Martin Bengtsson

Introduction

Outbound SSH can be a serious blind spot. Attackers can use SSH tunnels to bypass firewalls, EDR, and even AppLocker — proxying malicious activity without running tools directly on the host. This enables lateral movement and internal compromise.

To mitigate this, I block outbound SSH connections and enforce application control on SSH binaries using Microsoft Intune, combining Windows Firewall and AppLocker for layered protection.

How to manage the new Microsoft 365 companion apps rolling out to Windows 11

October 3, 2025October 3, 2025 by Martin Bengtsson

Introduction

Microsoft is introducing new Microsoft 365 companion apps to Windows 11 devices as part of a broader integration effort. These apps may be installed automatically unless you opt out, but you can also choose to install them early for testing.

In this post, I’ll walk through how to manage the rollout: opting out of auto-installation, installing manually, uninstalling if needed, disabling automatic startup, and pinning the apps to your taskbar for quick access.