Managing your modern workplace with Microsoft Intune and Azure Automation
If you are looking for a way to simplify your modern workplace management, Microsoft Endpoint Manager (Intune) is your answer.
I’m a big fan of deploying Windows 10 devices with Windows Autopilot, enrolling them as Azure AD Joined machines into Microsoft’s cloud-based MDM (Mobile Device Management) solution: Intune.
There’s already so much one can do with Microsoft Intune, and it gets better every week. However, there’s something that I feel is missing, namely the ability to remotely manage and troubleshoot Windows 10 devices without interfering end-user productivity.
This blog post won’t teach you how to remotely control a(n) (unattended) device using screen sharing, which is something I hope will become available some time too! But you will learn how to enroll your Windows 10 Intune managed devices into Azure Automation as Hybrid Runbook Workers, so you can use PowerShell Runbooks to manage and troubleshoot devices.
PowerShell scripts limitations in Microsoft Intune
With Microsoft Intune, you can already deploy PowerShell scripts to Windows 10 devices. But when you dive a little deeper into that feature, you’ll notice that there are some limitations:
- PowerShell scripts in Microsoft Intune are a “Run and forget” solution. It does not support running PowerShell scripts on a scheduled basis;
- You can see if the PowerShell script execution was successful or failed, however the output generated is only available on the endpoint that executes it and is not returned to the Microsoft Endpoint Manager Admin Portal;
- The executed PowerShell scripts are visible in the IntuneManagementExtension log file as plain text. You cannot pass credentials securely. If this is something you’d like to see added, vote for it on uservoice.
- Execution of PowerShell scripts is not “On-demand”, as the Intune Management Extension agent that is responsible for executing them on the endpoints checks once an hour for new scripts.
PowerShell Runbooks through Azure Automation
With Azure Automation, you can also execute PowerShell Runbooks on Windows 10 devices (when they are registered as Hybrid Runbook Worker). So how does Azure Automation solve the limitations above?
- You can schedule PowerShell Runbooks using Azure Automation;
Imagine that you have some Windows Kiosk PCs running all day, even when the company is closed. With Azure Automation you can schedule PowerShell Runbook to run daily on those devices, that executes a shutdown cmdlet.
- Everytime a PowerShell Runbook is executed, a job is logged in Azure Automation that contains more details including the runbook’s output;
- You can use Credential Assets in Azure Automation or integrate with Azure Key Vault to pass credentials/secrets to the workers;
This allows you to safely authenticate to services such as an azure Storage account from a Runbook executing on a Hybrid Runbook Worker, for example when you are gathering logs and want to upload them them to an Azure Storage Account for review.
- PowerShell Runbooks executed on Hybrid Runbook Workers via Azure Automation are not on-demand, as they get queued at first, but they start running within minutes.
Troubleshooting with Azure Automation
Imagine that an end-user reports an issue that a Win32 application is not installing on their device. Sure, you can call the end-user, control their computer remotely and gather the information as necessary, but during this time the end-user is not productive, as they cannot perform their work during the time that you take control over their computer.
You can leverage Azure Automation to troubleshoot the device remotely without disturbing the end-user productivity.
As an example, you can return the last 500 lines of the IntuneManagementExtension.log file using a one-liner.
Get-Content -Path "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log" | Select-Object -Last 500
Before you can use PowerShell Runbooks on your Windows 10 devices, you need to meet a few prerequisites:
- Using the solution in this blog, your Windows 10 devices need to be managed with Intune to deploy the Microsoft Monitoring Agent and register them as Hybrid Runbook Workers automatically;
- An Azure subscription is required to create an Azure automation account and Log Analytics workspace;
- An Azure Automation account is required to run PowerShell Runbooks on Hybrid Runbook Workers;
Pricing details: The first 500 minutes (per month) of job run time in the Automation account are included free of charge! You will be billed only for minutes/hours that exceed the free included units.
- An Azure Log Analytics workspace is required.
Pricing details: You pay for data ingested into the workspace by the solution. The first 5 GB of data ingested per organization to the Azure Monitor Log analytics service is offered free.
- The Azure Automation Solution needs to be added to the Log Analytics workspace.
Adding the Azure Automation Solution in the Log Analytics workspace is a requirement, so that endpoints connecting to it with the Microsoft Monitoring Agent will download the required modules to register them as Hybrid Runbook Workers in Azure Automation.
You don’t need to link the Azure Automation account with the Log Analytics workspace. That way no data is being ingested and you only get billed job run time in the Automation account.
How to register Windows 10 devices in Azure Automation as Hybrid Runbook Workers automatically
When you meet the prerequisites, you can use Microsoft Intune to deploy the Microsoft Monitoring Agent, connect Windows 10 devices to a Log Analytics workspace and register them automatically in Azure Automation as a Hybrid Runbook Worker.
To do so I’ve wrapped the Microsoft Monitoring Agent together with a PowerShell Script that takes care of all those steps automatically into a single Win32 app.
You can find a prepackaged .intunewin Win32 app, the source code and documentation on how to deploy the app on my GitHub: https://github.com/jseerden/MEMHybridWorker
To connect devices to a Log Analytics workspace and register them as Hybrid Runbook Workers, you need to pass along the workspace id, a workspace key, Automation account endpoint URL and an Automation account key. With the prepackaged app you can pass these as parameters in the install cmdlet, but if you don’t like to expose them there, another option is to embed them in the PowerShell Script and repackage it.
Sample PowerShell Runbooks
When you’ve deployed the solution and your devices have been transformed into Hybrid Runbook Workers, it’s time to start your first PowerShell Runbook from Azure Automation! I’ve included some sample scripts on my GitHub that should help you get started troubleshooting devices remotely.
Let’s try and capture the Mobile Device Management Diagnostics and upload them to an Azure Storage Account with the Invoke-MdmDiagnosticsToAzureStorage Runbook.
Note: This sample requires that you have created an Azure Storage Account to store the collected diagnostics on.
- Navigate to your Azure Automation account
- In the navigation pane, go to Variables
- Add the StorageAccountName (containing the Storage Account Name) and StorageAccountKey (containing the Storage Account Primary Access Key) variables. To hide the Storage Account Key, you may select the checkbox to encrypt it.
- In the navigation pane, go to Runbooks
- Create the Invoke-MdmDiagnosticsToAzureStorage PowerShell Runbook
- Start the Runbook, select to run it on a Hybrid Worker and select your Windows 10 device.
The Runbook will now collect the Mobile Device Management Diagnostics on the device, create the mdmdiagnostics container and upload the collected .zip file in the Storage Account you configured using the Variables shared resources.
More samples will be available in the Github repository as I create them. Please also feel free to share your samples with too!