Jump to content


anyweb

Gathering logs and sending an email when you need to reset Windows Autopilot

Recommended Posts

Introduction

Windows Autopilot deployment profiles allow you to decide if the user is a local administrator or a standard user. With all the security concerns today, choosing an User account type of Standard as shown below is a logical choice, but it does have some downsides. Certain abilities within Windows are not available to the end user without elevating their status.

standard user autopilot deployment profile.PNG

For example, as a standard user if you need to reset Windows when things take a nosedive (yes, it does happen), you cannot do it without elevating your session using Windows built in reset abilities, you could use the option in Company Portal, devices, but it doesn't allow you to gather logs, or email the reason for the reset, and it's troublesome to find.

As an Intune Admin you could of course trigger the reset from within the Endpoint Manager portal, but what if you want your users to be in control of when and where they make that choice. By providing the users with this self service ability means one less call to the help desk.

To give your users the ability to easily self reset Windows, and to do it in a way that your company can benefit from, you can provide an app that runs in SYSTEM context via the Company Portal and that's what this blog post covers. It shows you how to display a simple UI to your end users which runs in SYSTEM context, yet can interact with the end users and gather important data prior to initiating the reset.

Step 1. Get the scripts

Note: You can only download these files when logged on to windows-noob.com

reset-windows.zip

Note: In part 2 I've updated these scripts to include more functionality.

Extract the files.

Step 2. Get ServiceUI.exe from MDT

You'll need the ServiceUI.exe executable file to display user interfaces (UI) to end users when operating in SYSTEM context. To get the file, download and install MDT somewhere and navigate to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64. To download MDT click here.

Copy the ServiceUI.exe file to your extracted win32app_source folder so it looks like this.

serviceui copied.png

Step 3. Get the Win32 content prep tool

Download the Win32 content prep tool from here.

Copy the IntuneWinAppUtil.exe file to your reset-windows source folder, it should look like this.

IntuneWinAppUtil copied.png

Step 4. setup Sendgrid in Azure

In https://portal.azure.com login and add a resource called Sendgrid.

setup sendgrid.png

After creating the resource, click on Manage

manage.png

In the sendgrid web site, choose to Create a sender.

create a sender.png

 

Once that is done and you've verified the sender, you can review your sender in the settings node in the sender authentication area.

sender authentication.png

Next you should Create an API key, to create an API keysimply expand Settings in the left pane and choose API Keys followed by Create API Key, I chose full access.

create api key.png

Make sure to copy your API key somewhere safe...

api key created.png

After all that is done, you can test sending your first email, there's lots of help at sendgrids site. Do not continue until you've got confirmation that you can send email successfully.

Step 5. Modify the script

Using the API key you copied from above, open the reset-windows.ps1 script and paste in that value (line 144 below). Make sure to also configure the $ToAddress and $FromAddress variables.

edit script.png

Save the changes to the script.

Step 6. Create your win32 app

Open a command prompt and browse to the reset-windows folder structure. Launch the IntuneWinAppUtil.exe file and answer the following.

  • Please specify the source folder: win32app_source
  • Please specify the setup file: reset-windows.ps1
  • Please specify the output folder: win32app_target
  • Do you want to specify catalog folder (Y/N)? n

as shown here.

create intunewin.png

After doing that you'll have the needed reset-windows.intunewin file in the win32app_target folder.

intunewin file.png

Step 7. Create your Win32 app in Endpoint Manager

Log into https://endpoint.microsoft.com and add a new Win32 App. Below are some screenshots showing how I've configured the app.

App information

app information.png

Program

Notice how I add install.cmd and uninstall.cmd here, also note that I've selected the Install behavior to System.

program.png

 

Requirements

requirements.png

Detection rules

detection rules.png

with the following detection rules

detection rules.PNG

The app is then assigned as available to All my Windows Autopilot users.

available for.png

Continue through that process and Save the changes.

Step 8. Test it !

Note: you can test the script prior to uploading it to Endpoint Manager easily by using psexec and launching a cmd prompt in system context with psexec /i /s cmd.exe. From there you can launch the PowerShell script.

On a Windows Autopilot computer that is deployed with a user that has a standard user profile, open the company portal app.

company portal.png

After clicking the icon, the app will launch for the end user. The end user can optionally decide how they want to reset windows by clicking on the radio buttons or enter some text to explain why they are resetting Windows.

reason why.png


Clicking OK will prompt the end user with some additional text and one last chance at cancelling things...you can customize this text in the Powershell script.

you have chosen to reset windows.png

If they click OK, then the app gathers Windows Autopilot logs and all logs in C:\Windows\Temp and the users local temp folder, then it zips them up

log files.png

and finally emails the zip to your chosen address, once all those are complete (a minute or so) it will start the reset.

It logs the actions in the users temp folder (which are grabbed in the email)

reset-windows log.png

and here's the restart...

restarting.png

closely followed with the actual reset !

resetting this pc.png

The email will contain all the Windows Autopilot logs + log files from any apps you've installed on the device

windows reset email.png

Job done !

One final note, the email provider you choose to use to receive the emails generated from this process should be one that doesn't natively block ZIP files (and there contents) like Google does. You'll be able to see this behaviour in the sendgrid email status

Want more ? see part 2 of this blog series.

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.