endpoint.microsoft.com –> Devices –> scripts –>
Run this script using the logged on credentials
Yes (some can be no)
Enforce script signature check
No
Run script in 64 bit PowerShell Host
Yes (some can be 32)
Here I will rename a local admin to another admin changing the password:
renameadm.ps1
$oldUsername = "usertoremove" $newUsername = "newadministrator" $oldPassword = ConvertTo-SecureString "passwordforusertoremove" -AsPlainText -Force $newPassword = ConvertTo-SecureString "newpasswordfornewadm" -AsPlainText -Force $user = Get-LocalUser -Name $oldUsername Rename-LocalUser -Name $oldUsername -NewName $newUsername Set-LocalUser -Name $newUsername -Password $newPassword
Here I will remove all local admin and also azure admins/users and leave just the local admin that I created:
removing_all_adms_less_one.ps1
$group = [ADSI]"WinNT://$env:COMPUTERNAME/Administrators" $admins = $group.Invoke('Members') | ForEach-Object { $path = ([adsi]$_).path [PSCustomObject]@{ User = $(Split-Path $path -Leaf) }} foreach ($user in $admins) { $test = $user.User # Assign the user value to $test variable for comparison if ($test -eq "keep-this-username-adm") { } else { Remove-LocalGroupMember -Group Administrators -Member $test }}
Here I’m removing the PIN
removepin.ps1
$path = "HKLM:\SOFTWARE\Policies\Microsoft" $key = "PassportForWork" $name = "Enabled" $value = "0" New-Item -Path $path -Name $key –Force New-ItemProperty -Path $path\$key -Name $name -Value $value -PropertyType DWORD -Force #Delete existing pins $passportFolder = "C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc" if(Test-Path -Path $passportFolder) { Takeown /f $passportFolder /r /d "Y" ICACLS $passportFolder /reset /T /C /L /Q Remove-Item –path $passportFolder –recurse -force }
Here I will set a background image:
setbackground.ps1
$RegKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP" $LockScreenPath = "LockScreenImagePath" $LockScreenStatus = "LockScreenImageStatus" $LockScreenUrl = "LockScreenImageUrl" $StatusValue = "1" $url = "https://www.meusite.com/wp-content/uploads/2023/04/wallpaper.png" $LockScreenImageValue = "C:\MDM\wallpaper.png" $directory = "C:\MDM\" If ((Test-Path -Path $directory) -eq $false) { New-Item -Path $directory -ItemType directory } $wc = New-Object System.Net.WebClient $wc.DownloadFile($url, $LockScreenImageValue) if (!(Test-Path $RegKeyPath)) { Write-Host "Creating registry path $($RegKeyPath)." New-Item -Path $RegKeyPath -Force | Out-Null } New-ItemProperty -Path $RegKeyPath -Name $LockScreenStatus -Value $StatusValue -PropertyType DWORD -Force | Out-Null New-ItemProperty -Path $RegKeyPath -Name $LockScreenPath -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null New-ItemProperty -Path $RegKeyPath -Name $LockScreenUrl -Value $LockScreenImageValue -PropertyType STRING -Force | Out-Null RUNDLL32.EXE USER32.DLL, UpdatePerUserSystemParameters 1, True