____ __ _ ___ __
/ _/___ / /___ ______ ___ | | / (_)___ ____/ /___ _ _______
/ // __ \/ __/ / / / __ \/ _ \ | | /| / / / __ \/ __ / __ \ | /| / / ___/
_/ // / / / /_/ /_/ / / / / __/ | |/ |/ / / / / / /_/ / /_/ / |/ |/ (__ )
/___/_/ /_/\__/\__,_/_/ /_/\___/ |__/|__/_/_/ /_/\__,_/\____/|__/|__/____/
Temporary Access Password (TAP) allows users to gain temporary access to their devices when they are locked out, without requiring intervention from IT support. This guide outlines the steps to enable and configure TAP in Microsoft Intune.
- Go to Microsoft Endpoint Manager Admin Center.
- Sign in with your admin credentials.
- In the Microsoft Endpoint Manager Admin Center, go to
Devices
>Enroll devices
. - Click
Enrollment Program Tokens
.
- If you don't already have an Enrollment Program Token, click
+ Create
. - If you have an existing token, click on it to edit.
-
Find and Configure TAP Settings - Within the Enrollment Program Token settings, locate the
Temporary Access Password
section. - Enable TAP by toggling the switch toOn
. -
Configure TAP Settings - Duration: Set the duration for which the TAP will be valid. - Password Complexity: Define the complexity requirements for the TAP. - Number of Attempts: Specify the number of allowed attempts before a user must contact support.
- Click
Save
to apply the TAP settings. - Ensure that the updated token settings are applied to your devices.
-
Navigate to Connectors and Tokens
- Go to
Tenant Administration
>Connectors and tokens
.
- Go to
-
Configure Windows Data Settings
- Click on the
Windows data
node. - Here you can configure your tenant to support Windows diagnostic data in processor configuration.
Note:
- Enabling the Windows Diagnostic setting will activate Intune features powered by Windows diagnostic data.
- It will also enable the Windows diagnostic data processor configuration if your tenant is not already opted-in.
- Click on the
-
Confirm Licensing Requirements
-
An Intune Service Administrator must confirm licensing requirements before using the Windows 11 Upgrade Readiness report and proactive remediations for the first time.
-
To use these features, confirm your tenant has one of the following licenses. You must be a Global Administrator or Intune Service Administrator to confirm licenses:
- Windows 10 or later Enterprise E3 or E5; or Microsoft 365 F3, E3, or E5
- Windows 10 or later Education A3 or A5; or Microsoft 365 A3 or A5
- Windows Virtual Desktop Access E3 or E5
-
Set
I confirm that my tenant owns one of these licenses
toOn
.
-
Importing HASH Keys allows a device to be assigned to a Tenant upon the devices connection to the internet & persist association after reset, this must specificly requested before ordering devices.
Alternativly you can extract the HASH Key from exising devices using scrips (see scripts containted within the folder Configure - Importing HASH Keys
)
Run the CMD script on a connected USB & it will update a CSV file it creates in the same directory, updating with each machine it is run on.
The script will attempt to automaticly import the new HASH Key if Intune administrator details are provided when prompted.
Read the guide on how to manually import keys
- Create a group on Azure AD Home
- Click on
Groups
>New Group
>Group Type
- Select
Security
> Give a name and group description. - Select
Membership Type
asDynamic Device
- Under Advanced rule for Add dynamic query, add
(device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))
orsee table below
then click Add query.
Once done, a group will be created and all the AutoPilot device will get added into it.
Devices | Query |
---|---|
All Windows AutoPilot devices | (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) |
All Windows AutoPilot devices with a specific order Id | (device.devicePhysicalIds -any _ -eq “[OrderID]:{YourOrderId}”) |
All Windows AutoPilot devices with a specific purchase order Id | (device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:{YourPurchaseOrderId }”) |
- Create a Local Administartor Account
- Enable LAPS for password managemnt
- Configure WiFi
- Configure Desktop Background
This is dependent on the
Software Custom - IntuneDependencies
package. - Configure Taskbar
Deploy injunction with software.
- Configure Sharepoint OneDrive AutoSync
Recommended to deploy the bonus remediation script.
- Recommended System Software
|-Software Custom
|---DesktopInfo
|---ExplorerPatcher
|---IntuneDependencies
|---LoadingScreen (per user)
|---Managed Printers
|---ZeroTier
- Recommended System Remediation Scripts
|-Script
|---Clear-TeamsCache
|---Configure-ExplorerPatcher
|---Device-Auto-Syncer
|-Configure
|---OneDrive (silent sync)
- Dynamic Groups for Targeted Deployment
Use Case: Office or Department based application or printer deployment.
- General Deployables
|-Software
|---Asana
|---Bitdefender
|---Citrix Workspace
|---Google Chrome
|---Slack
|---Teams
See Software - TEMPLATE
for a base script to use / package when deploying software to Intune, it supports .msi & .exe
- Microsoft Office: Deploy via Intune Microsoft Store.
- Deployable Additionals
|-Configure
|---Add Chrome or Edge Extensions
|-----Tab Suspender
|-----Tab Limiter
or
|-Script
|---Install Chrome or Edge Extensions
|-----Tab Suspender
|-----Tab Limiter