Intune (install) Pack

Inspired by:
Michael Mardahl | https://www.iphase.dk
Jordan Russel | http://www.jrsoftware.org/

Sources:
https://www.iphase.dk/local-administrators-on-aad-joined-devices/
http://www.jrsoftware.org/
https://www.exemsi.com/download/

Create a folder named IntunePack
In IntunePack create two folders:
Installer
Source

Example

Download PSAppDeployToolkit and extract

Copy Toolkit files to Source

Create a Local_admin.ps1 file and save in source\files folder

New-LocalUser -Name "Admin" -Description "Admin." -NoPassword
net user Admin PASSWORD123@
wmic useraccount where "Name='Admin'" set PasswordExpires=false
net user "Admin" /PasswordChg:No
Add-LocalGroupMember -Group "Administrators" -Member "Admin"

Change on line 2 PASSWORD123@ to what password you want

Add a Azure Active Directory user to the local Administrators group

Open a notepad for (copy/paste) the 4 required keys
Object ID (localAdminGroupID):
Application (client) ID (client_id):
Client value (client_secret):
Tenant/Directory ID:

First create a Azure Active Directory Security group
Add the desired members
Go to group properties and copy the Object ID
Paste to the notepad > Object ID (localAdminGroupID):

Copy the Object ID
(localAdminGroupID)

API access for Powershell

Go to Azure Active Directory > App registrations
Create new application registration;
Name: Powershell API Access
Supported account types: Accounts in any organizational directory (Any Azure AD directory – Multitenant)
Web: http://localhost
Register
Copy Application (client) ID
Paste to notepad > Application (client) ID (client_id):

Copy the Application (client) ID
(client_id)

In Powershell API Access go to Certificates & secrets
Create a new client secret
Description: Powershellkey
Expires: Never
Copy the value string
Paste to notepad > Client value (client_secret):

Copy the client value
(client_secret)

In Powershell API Access go to API permissions and add a Application permission called Azure Active Directory Graph > Directoy

Select Directory.Read.All

Click on “Grand admin consent for …”

Go to Azure Active Directory > Properties and copy the Tenant/Directory ID

Copy the Tenant/Directory
(tenant_id)

Paste to notepad > Tenant/Directory ID:

Now you have collected all the necessary keys

Download the aad_controlled_localadmins script from GitHub (Credit: Michael Mardahl)
Edit line:
30 > $client_id = Application (client) ID (client_id)
31 > $client_secret = Client value (client_secret)
34 > $tenant_id = Tenant/Directory ID (tenant_id)
37 > $localAdminGroupID = Object ID (localAdminGroupID)

408 > Remove #

Save as aad_controlled_localadmins.ps1 file and in files folder

Edit in the IntunePack\Source the Deploy-Application.ps1 file

Line: 64 to 76
Add # on line 120
Add # on line 123
Add # on line 160
Add # on line 163
Add below line 140 the script.

$destinationFolder = join-path $envProgramFilesX86 "\IntunePack"
New-Folder -Path $destinationFolder
Copy-File -Path "$dirFiles\*.*" -Destination $destinationFolder
$myParameters = '-ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File "{0}"' -f "$destinationFolder\Local_admin.ps1"
Execute-Process -Path 'powershell.exe' -Parameters $myParameters -WindowStyle 'hidden'
$myParameters = '-ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File "{0}"' -f "$destinationFolder\aad_controlled_localadmins.ps1"
Execute-Process -Path 'powershell.exe' -Parameters $myParameters -WindowStyle 'hidden'

If you want delete the files/folder after the run add below code after:
## <Perform Post-Installation task here> (below line 148)
Example: Remove-Item -Path "$destinationFolder\Local_admin.ps1"

Making IntunePack.exe

Download Inno Setup and install the software

Create in Notepad++ a file IntunePack.iss and save to Installer folder
Copy and paste the below code and generate a App id on line 8

; Script generated by the Inno Script Studio Wizard.
; SEE THE DOCUMENTATION FOR DETAILS ON CREATING INNO SETUP SCRIPT FILES!

[Setup]
; NOTE: The value of AppId uniquely identifies this application.
; Do not use the same AppId value in installers for other applications.
; (To generate a new GUID, click Tools | Generate GUID inside the IDE.)
AppId={
AppName=IntunePack
AppVersion=1.0
AppPublisher=knowledgebase
AppPublisherURL=https://www.knowledgebase.it
AppSupportURL=https://www.knowledgebase.it
AppUpdatesURL=https://www.knowledgebase.it
DefaultDirName={autopf}\Source\SetupFiles
DisableDirPage=yes
DefaultGroupName=IntunePack
DisableProgramGroupPage=yes
OutputDir="C:\IntunePack\Installer"
OutputBaseFilename=IntunePack
Compression=lzma
SolidCompression=yes

[Files]
Source: "C:\IntunePack\Source\Deploy-Application.exe"; DestDir: "{app}"; Flags: ignoreversion
Source: "C:\IntunePack\Source\*"; DestDir: "{app}"; Flags: ignoreversion recursesubdirs createallsubdirs
; NOTE: Don't use "Flags: ignoreversion" on any shared system files

[Run]
Filename: "{app}\Deploy-Application.exe"; Parameters: "install"; WorkingDir: "{app}"; Flags: waituntilterminated hidewizard runhidden

[UninstallRun]
Filename: "{app}\Deploy-Application.exe"; Parameters: "uninstall"; WorkingDir: "{app}"; Flags: waituntilterminated runhidden

[UninstallDelete]
Type: filesandordirs; Name: "{app}*"

Run the script (F9)

Making IntunePack.intunewin

Create a install.cmd file and save in IntunePack\Installer folder

IntunePack.exe /VERYSILENT /SUPPRESSMSGBOXES

Download IntuneWinAppUtil.exe

Open cmd with admin rights and go to IntuneWinAppUtil.exe

Upload IntunePack.intunewin

https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/1/selectedMenuItem/Overview

Microsoft Intune > Client apps > Apps
App type: Windows app (Win32)
Name: IntunePack
Description: IntunePack
Pubisher: Knowledgebase
Category: Computer management
Display this as a featured app in the Company Portal: Yes or No
Upload a logo
Wait for complete upload
Install command: Install.cmd
Unistall command: msiexec /x "{AppId}" /q
Install behavior: System
Operating system architecture: 64-bit
Minimum operating system: Windows 10 1607
Detection rules>
Rule type: File
Path: C:\Program Files (x86)\
File or folder: IntunePack
Detection method: File or folder exists
Associated with a 32-bit app on 64-bit clients: Yes

Assign a group in Assignments