Adding Ping and RDP to device settings in Intune via PowerShell

For the most part, you should be able to add nearly every single device setting via Intune from standard device config profiles to ADMX to CSP. The Intune team is adding new capabilities all the time. I did come across two settings that I​​ really like to have enabled in my lab that still isn’t available from an out of box device profile or CSP (or at least I couldn’t figure out how to do it via CSP). So as of this post, the 2 -must have- settings in my lab are RDP and ping. A real-world application of this is a mixed management ​​ environment. An IT shop that is slowly shifting to a modern workplace is likely to be piloting company owned devices which connect to the corporate network but are solely managed by Intune but the rest of the devices​​ are managed by legacy on-prem AD and may/may not be co-managed with ConfigMgr + Intune.

So for the purpose of this post, I needed to quickly enable these settings for a VM that was “company owned”, always connected to the corp network during work hours, and needs to be accessed by helpdesk for some sort of task. I can’t tell you how many times in my helpdesk days that I’d remote to somebody’s PC during their lunchbreak/meeting/poop time. It’s a real need.​​ 

 

Pre-requisite: A device group to deploy a powershell script.

I created mine as a dynamic group with some pretty loose settings. It needs to be running Windows and it needs to be company owned. I’ll elaborate via a snip

Figure 1 I'm in AAD - Groups blade

After some time, you should see some devices show​​ up in the members tab.

A screenshot of a cell phone

Description automatically generated

Figure 2 Happy corporate owned devices

Next, I need to create a PowerShell script that enables the features I want, upload it to Intune, and assign it to that dynamic group I created. I stole (with pride) the RDP from​​ here.

 

#RDP - allow

#Enable Remote Desktop connections

Set-ItemProperty​​ 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\'​​ -Name​​ "fDenyTSConnections"​​ -Value 0

 

#Enable Network Level Authentication

Set-ItemProperty​​ 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\'​​ -Name​​ "UserAuthentication"​​ -Value 0

 

#Enable Windows firewall rules to allow incoming RDP

Enable-NetFirewallRule -DisplayGroup​​ "Remote Desktop"

 

#Ping - IPv4 – allow​​ 

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request"​​ protocol="icmpv4:8,any" dir=in action=allow

 

You can yell at me for mixing PowerShell and netsh and​​ idgaf.

 

Once the script is created, upload it to Intune – Device Configuration – PowerShell scripts

Figure 3 Uploading the script

Then apply it to the device group you want to target (I used my generic dynamic group to hit all company owned devices).

Figure 4 Assigning it

Pick your favorite way to make the device sync and then head over to the client side Intune log to watch the magic happen.

A screenshot of a social media post

Description automatically generated

Figure 5 Log is found at C:\ProgramData\Microsoft\Intune\IntuneManagementExtension\Logs\IntuneManagementExtension.log

Then you can check your work and hopefully get something like this:

Figure 6 Before enabling ping

Figure 7 Now it all works 🙂