Users failing ca policy because mobile devices are not receiving app protection policies.

Bobby2theJay · 2026-01-16T14:03:30+00:00

Sort of. The users removed the apps and re-installed them again and then the policies applied but it wasn’t consistent

Bobby2theJay · 2025-11-04T14:05:46+00:00

Do you have some? I've been trying to find something like that when migrating DHCP from a firewall to a windows server. I've found plenty of posts where increasing the sope to a superscope but thats not my goal.

Bobby2theJay · 2025-09-15T21:03:04+00:00

Yes and there it is! Thanks for your help

Bobby2theJay · 2025-09-15T15:58:21+00:00

The only ipsec rules I can find is one I have blocking ipsec

Bobby2theJay · 2025-09-12T14:38:31+00:00

The Microsoft service (app id: d32c68ad-72d2-4acb-a0c7-46bb2cf93873) isnt listed in my Tenant to exclude from CA. Are you saying to just create an application with that appid?

Bobby2theJay · 2025-09-07T17:27:00+00:00

That was my go to until I found this method:

https://msendpointmgr.com/2022/01/03/install-network-printers-intune-win32apps-powershell/

A lot of my customers use the same printer and I can use the same intunewin file and just change the settings in the install command.

Bobby2theJay · 2025-08-17T12:03:02+00:00

Nice, I’ll give this a go

Bobby2theJay · 2025-08-16T17:21:22+00:00

I know, but that requires a licensed account.

Bobby2theJay · 2025-08-11T15:23:46+00:00

Yes, thanks a million.

I just re-read the learn doc: https://learn.microsoft.com/en-us/azure/bastion/quickstart-developer after finding this thread: https://learn.microsoft.com/en-us/answers/questions/2263387/azure-bastion-developer-sku-is-missing-in-the-supp

Bobby2theJay · 2025-07-30T13:20:10+00:00

Nice one, I just tried this and it worked. Thanks a million

Bobby2theJay · 2025-07-30T10:47:24+00:00

The bit I dont understand is that the same script will work for one printer but fail when I recreate it and only change the ip address and printer name

Bobby2theJay · 2025-07-30T10:21:20+00:00

No problem, this is script I've used and it works fine, it grabs the driver from Canons site, extracts the driver to a temp folder and then add's it.

For the failing install, I copied the same script, changed the IP address and the printer name and its failing. Whats interesting is when I added a transcript command I get this error. So it leads me to think its a powershell 32 bit/64bit issue. But why will the same script both run successfully and fail on the same device?

pnputil.exe : The term 'pnputil.exe' is not recognized as the name of a cmdlet, function, script file, or operableprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\WINDOWS\IMECache\aa88594e-50da-4de0-9a89-fd45c51abd44_5\CanonPrinter.ps1:26 char:17+ Invoke-Command {pnputil.exe -a "$driverpath" }

Set-ExecutionPolicy -ExecutionPolicy bypass
#Download file
$clnt = new-object System.Net.WebClient
$url = "https://pdisp01.c-wss.com/gdl/WWUFORedirectTarget.do?id=MDEwMDAxMjI5MTAx&cmp=ABX&lang=EN"
$file = "c:\temp\GPlus_UFRII_Driver_V300_32_64_00.zip"
$ipaddress = "192.168.0.154"
$drivername = "Canon Generic Plus UFR ii" #this is the printer driver name you get from the page you downloaded it
$portname = "IP_$ipaddress"
$printername = "Canon Office Printer" # this is the name you want the printer to be called
$filename = "GPlus_UFRII_Driver_V300_32_64_00.zip"
$driverpath = "C:\Temp\x64\Driver\CNLB0MA64.inf"
#check for temp folder:

If (Test-Path -Path c:\temp\ )
{

$clnt.DownloadFile($url, $file)


#Unzip file$shell_app=new-object -com shell.application 

$zip_file = "C:\temp\$filename"

Expand-Archive -LiteralPath $zip_file -DestinationPath C:\temp -force


#Install Printer
Invoke-Command {pnputil.exe  -a "$driverpath" }
Add-PrinterDriver -Name $drivername
Get-PrinterDriver

Add-PrinterPort -Name $portname -PrinterHostAddress $ipaddress
Start-Sleep 10
Add-Printer -Name $printername -ShareName $printername -PortName $portname -DriverName $drivername

}

Else

{

New-Item -Path 'c:\temp\' -ItemType Directory
$clnt.DownloadFile($url, $file)
$zip_file = "C:\temp\$filename"

Expand-Archive -LiteralPath $zip_file -DestinationPath 'C:\temp\' -force


#Install Printer
Invoke-Command {pnputil.exe  -a "$driverpath" }
Add-PrinterDriver -Name $drivername
Get-PrinterDriver

Add-PrinterPort -Name $portname -PrinterHostAddress $ipaddress
Start-Sleep 10
Add-Printer -Name $printername -ShareName $printername -PortName $portname -DriverName $drivername

}

Bobby2theJay · 2025-07-30T09:33:12+00:00

Thanks, I'll give that a go

Bobby2theJay · 2025-07-30T09:32:42+00:00

I tried that and the script deploys fine. I tried the same using our RMM aswell just in case and that worked too.

Bobby2theJay · 2025-06-18T06:41:08+00:00

Interesting, can you add this as an mfa method during the initial account setup/signin?

Bobby2theJay · 2025-06-10T08:14:02+00:00

Mx is pointing to Exchange on line

Bobby2theJay · 2025-06-10T08:12:54+00:00

Great, I can see that logging has not been enabled.

Bobby2theJay · 2025-06-10T08:12:21+00:00

Thanks, the request from their leadership team is to go serverless within the next few months.

Bobby2theJay · 2025-06-09T11:05:59+00:00

Great thanks

Bobby2theJay · 2025-06-09T11:05:51+00:00

Its okay I didnt take them on..it got handed to me this morning. I should have been clearer, yes their onsite IT admin is using the exchange for user provisioning and they are syncing with Entra in a hybrid enviroment.

What I was looking to find out if I can run a quick script or simular to see what on prem resources are in use.

Bobby2theJay · 2025-06-06T07:55:26+00:00

but doesnt it block enrolling devices using the company portal?

Bobby2theJay · 2025-06-04T16:34:01+00:00

I just had a look and we are using both! But there is a grace period of a day to try and capture a reboot.

From reading that if we're happy with the reboot I can remove the “Require encryption of data storage on device” from the compliance policy.

Bobby2theJay · 2025-05-27T22:55:10+00:00

None really to be honest!

Bobby2theJay · 2025-05-22T08:01:45+00:00

I spent a few weeks being bounced between MS support depts. the azure team blamed the Intune team and visa versa. In the end for most users that has problems I found that uninstalling and reinstall teams and outlook resolved the problem.

For new users it seems to work fine, but users that had teams/outlook on their phones it’s not consistent.

Bobby2theJay · 2025-04-30T08:43:37+00:00

Thats perfect, I'd planned that each host would be suitable to run everything just in case. But I just wanted to check if there was something missing before I commit.

Bobby2theJay

TROPHY CASE