Endpoint Manager and Winget to manage my device

Endpoint Manager and Winget to manage my device header image

It has been a while since I have reinstalled a device. At the end of 2019 I reinstalled and wrote a blog about my setup. Due to bad weather during my holidays, I figured it was time to revamp my machine as well as to build my own desktop. That resulted in a few days of playing around with hard and software. This post captures the setup I ended up with to install my device.

Endpoint Manager

I have been working with Intune for a while, but never bothered to set it up for my custom tenant. Long overdue I thus bought the EMS + E5 license and configured the new Endpoint Manager (formerly known as Intune). To goal was to minimize the manual labor required to configure my machine. But since I have multiple machines, I needed some flexibility as well. So, the result is a set of Endpoint Manager policies and settings and a few PowerShell scripts to tweak specific settings. I created three app policies to configure the most used applications.

  • Microsoft 365 Apps for Windows 10 this makes sure enrolled devices are provided with the Office apps I often use.
  • Microsoft Edge for Windows 10 to make sure Edge is available on all devices
  • Winget this deploys the Winget package installer on each machine. I followed Intune and Package Managers - Part 2: Winget as a walkthrough

Besides the App policies I also needed two Device Configuration profiles, one based on the Settings Catalog type and one based of the Administrative templates. The Administrative template version contains all settings to deploy OneDrive and will automatically sign in. The Settings Catalog option is used to Disable the Windows 10 taskbar News and Interests.

I have not configured additional Endpoint security settings like Bitlocker, or additional settings for Windows update rings but will do so at some point. For now, I enabled it manually.

Winget

With the policies in place as soon as I log into a new machine it will pull in the organization profile and apply the required settings. A few minutes after logging in Winget is installed and I can open my OneDrive. In my OneDrive I have an Install folder that contains a PowerShell script that makes sure all apps will be installed. The script does three things:

  1. Enable winget to allow the MSStore (I used the Install Apps from the Microsoft Store using WinGet blog).
  2. Install applications with winget commands (Applications listed at Reinstalling my laptop; what config I use).
  3. Removes some out the box Windows Store Apps that I am not using based on Uninstalling windows store apps using PowerShell.

Those three actions results in the following script

Start-Transcript

Write-Output "Running install script using Winget"

# Make sure we can use the MSStore to install & use uninstall feature for future refernece
$settingsPath = "$env:LOCALAPPDATA\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json";

$settingsJson = @"
{
    // For documentation on these settings, see: https://aka.ms/winget-settings
    // "source": {
    //    "autoUpdateIntervalInMinutes": 5
    // },

    "experimentalFeatures": {
      "experimentalMSStore": true,
      "uninstall": true
    }
}
"@;
$settingsJson | Out-File $settingsPath -Encoding utf8

# Apps to install and uninstall
$apps = @("Microsoft.AzureCLI", "Microsoft.PowerShell", "Notepad++.Notepad++", "Microsoft.AzureStorageExplorer", "Microsoft.PowerToys", "TechSmith.Camtasia", "TechSmith.Snagit", "Git.Git", "Fork.Fork", "7zip.7zip", "Discord.Discord", "Docker.DockerDesktop", "Telerik.Fiddler", "DominikReichl.KeePass", "Spotify.Spotify", "Microsoft.VisualStudioCode", "Microsoft.WindowsTerminal", "Postman.Postman");
$windowsAppsInstall = @("Microsoft.Whiteboard")
$windowsAppsUnInstall = "Microsoft.People", "*xboxapp*","*3DPrint*", "Microsoft.SkypeApp", "Microsoft.Advertising*", "Microsoft.BingWeather", "Microsoft.ZuneVideo", "Microsoft.ZuneMusic", "Microsoft.Getstarted", "Microsoft.MicrosoftOfficeHub", "microsoft.windowscommunicationsapps"

$counter = 0;
Foreach ($app in $apps) {
  $counter++
  Write-Output "Installing app $($app)... ($counter/$($apps.Length))"

  winget install --exact --silent $app --source winget
}

$counter = 0;
Foreach ($app in $windowsAppsInstall) {
  $counter++
  Write-Output "Installing windows app $($app)... ($counter/$($windowsAppsInstall.Length))"

  winget install --exact --silent $app --source msstore
}

$counter = 0;
Foreach ($app in $windowsAppsUnInstall)
{
  $counter++
  Write-Output "Uninstalling windows app $($app)... ($counter/$($windowsAppsUnInstall.Length))"

  Get-AppxPackage -allusers $app | Remove-AppxPackage
}

Stop-Transcript

🌧 Currently the Microsoft To Do application seems not to be present in Winget and thus cannot be installed with this approach. It is the only application I could not get installed using this script…

Other scripts

There are a few manual things left like signing in to several systems, making sure NVM is installed, download the Fira Code font. There are also a few other actions that I have scripted as well. Inspired by a sample to Show File Extensions and a custom folder structure that I use to structure some of my projects.

Push-Location
Set-Location HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Set-ItemProperty . HideFileExt "0"
Pop-Location
Stop-Process -processName: Explorer -force # This will restart the Explorer service to make this work.

$folders = @("C:\git"; "C:\git\pnp"; "C:\git\proj"; "C:\git\sbx";)

foreach($folder in $folders) {
    if (!(Test-Path $folder)) {
        New-Item -itemType Directory -Path $folder
    }
    else{
        Write-Output "Folder already exists"
    }
}

With that it takes about a ten minutes after logging in to get my Endpoint Manager policies applied, and another 15 to 30 minutes that it takes to pull in all the other installers (yes I totally have a crappy internet connection). The plus size is that after those 30 minutes everything is up and running. All that is left is signing in to the correct services and everything is working. It might have taken a bit longer than just installing the first time putting all policies in place, but I am sure this will make life a bit easier.

Loading comments…