A collection of scripts, templates, and tools for managing Windows endpoints at scale — covering Azure Virtual Desktop image builds, session host lifecycle, and day-to-day operational tasks.
avd/
├── bicep/ # Bicep templates for AVD session host deployment
│ ├── modules/ # Reusable modules (session hosts, image templates)
│ └── main-*.bicep
├── customizer/ # AIB / Packer customizer scripts (image-bake)
│ └── ConfigurationFiles/ # Bundled VDOT JSON (no runtime download required)
├── pipelines/ # Azure DevOps YAML pipelines
└── scripts/ # PowerShell scripts used by pipelines
devops/
└── aib-task-v1-patched/ # Patched Azure Image Builder DevOps task (v2)
intune/
└── bitlocker/ # BitLocker detection & remediation scripts for Intune
macos/
└── servicing/ # Developer-storage cleanup and reclaim helpers for macOS
tools/ # Standalone PowerShell/WPF utilities
windows/
├── applications/ # Generic MSI uninstaller by name pattern / publisher / GUID
├── dot3svc/ # Wired AutoConfig (dot3svc) migration reset
├── print/ # Windows Protected Print (WPP) readiness — flag third-party v3/v4 drivers
├── rdp/ # Per-user RDP file signing (no admin required)
├── security/ # Hardware speculation mitigations, Secure Boot remediation
├── servicing/ # Pre-upgrade disk-space cleanup, WinRE partition resize, ESP free-space reporter
└── w365/ # Windows 365 Cloud PC utilities (disk resize, keyboard layout)
| Tool | Description |
|---|---|
| ADMXPolicyComparer | Compare ADMX policy baselines across Windows versions |
| AIBLogMonitor | Azure Image Builder log monitor |
| AvdAssessor | AVD environment assessment |
| AvdRewind | AVD session host rollback |
| AzChangeTracker | Azure resource change tracking |
| BaselineAssessor | Windows security baseline assessment (263 checks) |
| DeviceDecommissioner | Remove a device from AD, Entra ID, Intune, Autopilot, and SCCM in one guided workflow — pre-flight cards, BitLocker/LAPS warnings, dry-run, audit trail |
| PolicyPilot | Group Policy & MDM documentation — scans AD/Local/Intune, conflict detection, ADMX/CSP enrichment |
| W365Assessor | Windows 365 (Cloud PC) Enterprise & Frontline tenant assessment — 128 checks, 23 automated via Microsoft Graph |
| WinGetManifestManager | WinGet package manifest manager for private repos |
| Area | Description |
|---|---|
| avd/customizer/ | AIB / Packer image-bake customizers — AdminSysPrep, DisableAutoUpdates, InstallLanguagePacks, RemoveAppxPackages, RemoveUserApps, ResetAutoUpdateSettings, TimezoneRedirection, UpdateWinGet, WindowsOptimization (VDOT wrapper, JSON bundled in-repo) |
| avd/scripts/ | AVD pipeline helpers — host-pool drain, deployment telemetry, FSLogix repair, Get-StubAppPayloads / Install-AppxPayloads, hybrid activator, Remove-AvdHosts |
| avd/pipelines/ | Azure DevOps YAML pipelines for AVD activation, host-pool updates, image bakes |
| avd/bicep/ | Bicep templates for AVD session-host deployment (Entra ID + AD-joined variants) |
| intune/bitlocker/ | Intune Proactive Remediation pair — ensure BitLocker recovery key escrow to Entra ID; MBAM client uninstall |
| macos/servicing/ | macos_dev_cleanup.sh — semi-interactive developer-storage cleanup (Xcode, VS Code/Cursor/Windsurf, .NET, Gradle, Android, Flutter, JetBrains, Homebrew, Docker, Time Machine) |
| windows/applications/ | Uninstall-MsiProduct.ps1 — generic MSI uninstaller by DisplayName / Publisher / Version / ProductCode wildcards. Registry-driven (no Win32_Product side effects); built for vendor agents whose GUID changes per release (e.g. Quest / KACE Agent) |
| windows/dot3svc/ | Reset 802.1X / wired-AutoConfig profiles after migration |
| windows/print/ | Get-PrintDriverWppReadiness.ps1 — flag machines with third-party v3/v4 print drivers (not yet Windows Protected Print ready) ahead of WPP enforcement. Intune Proactive Remediation detection script (exit 0/1) + standalone CSV/JSON fleet inventory; maps drivers to printers actually using them. Read-only |
| windows/rdp/ | Sign .rdp files in user context (no admin required) |
| windows/security/ | Hardware speculation mitigations + Secure Boot UEFI CA 2023 remediation (Intune PR pair) |
| windows/servicing/ | Invoke-PreUpgradeCleanup.ps1 — reclaim disk space via cleanmgr + DISM before a feature update or after image bake. Resize-RecoveryPartition.ps1 — resize the WinRE recovery partition (KB5034441 / CVE-2024-20666 remediation). Get-EspPartitionStatus.ps1 — EFI System Partition size/free reporter as JSON for Grafana/Loki/Telegraf (KB5089549 / 0x800f0922 monitoring) |
| windows/w365/ | Windows 365 Cloud PC utilities — disk resize, keyboard layout configuration |
Most pipeline files use <YOURVALUE> placeholders — search for <YOUR and replace with your environment-specific values before use.
- PowerShell 5.1+
- Azure CLI / Az PowerShell modules (for AVD scripts and pipelines)
- Windows 11 (for WPF-based tools)
MIT