This folder contains a few scripts that suppliment the OIB, but are not requirements for the OIB to function.
All scripts create logs that can be found in the $ProgramData\Microsoft\IntuneManagementExtension\Logs folder.
I have tried to utilise available settings to make this work as part of the Timezone and Privacy policies, however it seems that the only way to get this to work is to run a script. This script will enable the "Set time zone automatically" switch in Settings > Time & Language > Date & Time.
Script type - Platform Script Assign to - Users Script Settings:
- Run this script using the logged on credentials - No
- Enforce script signature check - No
- Run script in 64-bit PowerShell Host - Yes
One big security concern with OOBE is that it doesn't (currently) install updates. This means that most devices will be at least a month out of date when they are first used. This script automatically triggers the following to update once a device gets to the desktop:
- Defender
- Microsoft Store
- Windows Update
The end result of this is that pretty shortly after, any pending updates will be installed, and the user notified a reboot is required, reducing the time between OOBE and the device being secure.
Script type - Platform Script Assign to - Users Script Settings:
- Run this script using the logged on credentials - No
- Enforce script signature check - No
- Run script in 64-bit PowerShell Host - Yes
This PowerShell script disables unnecessary or insecure Windows services in accordance with the CIS Benchmarks for Level 1 and Level 2 hardening.
It supports full customization to meet your environment’s specific requirements through three main variables:
$LevelOne/$LevelTwo– Enable or disable enforcement of CIS Level 1 and Level 2 services.$ExcludeList– A customizable list of services you wish to exclude from enforcement (e.g., Spooler, WinRM).
Script type - Platform Script Assign to - Devices Script Settings:
- Run this script using the logged on credentials - No
- Enforce script signature check - No
- Run script in 64-bit PowerShell Host - Yes