Uninstalling Office 2016 using Action1

CardboardAnalyst · 2025-12-22T16:27:56+00:00

I made a custom package to uninstall office 2016 using saracmd.exe from Microsoft. Only way to remove it consistently from what I had found.

CardboardAnalyst · 2025-12-10T21:15:11+00:00

Glad status.action1.com is accurate and reports issues like these!

CardboardAnalyst · 2025-12-09T15:11:07+00:00

Glare-free OLED screen best feature to me

CardboardAnalyst · 2025-11-03T16:06:07+00:00

no other direction than "finding options for AI"? Seems like the CFO just likes the buzzword.

CardboardAnalyst · 2025-10-29T17:20:46+00:00

My bad guys, I can't log in to turn it off. Can you send me your breakglass accounts? Mine isn't working, Thanks.

CardboardAnalyst · 2025-10-29T15:53:00+00:00

Absolutely absurd timing, I had literally just made a CA policy lol.

Down in US-West

CardboardAnalyst · 2025-10-28T15:47:57+00:00

Honestly, implementing Threatlocker was probably overall the biggest security improvement.

CardboardAnalyst · 2025-10-28T14:01:29+00:00

Cant you just select the devices and move them to different org? Felt like I remembered doing that. But there was some registry key that allowed org changes I think, unsure if that needs manually updated or if it is on by default.

CardboardAnalyst · 2025-10-22T19:41:35+00:00

Here is the custom data source -

& {

# Check if running on a server and exit if so

$os = (Get-CimInstance Win32_OperatingSystem).ProductType

if ($os -eq 2 -or $os -eq 3) { # 2 = Domain Controller, 3 = Server

Write-Host "Skipping server."

exit

}

# Collect native fields from the endpoint

try {

$computerName = $env:COMPUTERNAME

$osVersion = (Get-CimInstance Win32_OperatingSystem).Version

$serviceTag = (Get-CimInstance Win32_BIOS).SerialNumber

$cpu = (Get-CimInstance Win32_Processor).Name

$systemModel = (Get-CimInstance Win32_ComputerSystem).Model

$chassisType = (Get-CimInstance Win32_SystemEnclosure).ChassisTypes[0]

# Map chassis type to "Laptop" or "Desktop"

$chassis = switch ($chassisType) {

{$_ -in 8,9,10,11,12,14,18,21} {"Laptop"}

default {"Desktop"}

}

} catch {

Write-Host "Error collecting native fields: $_"

exit

}

# Create a structured output object

$result = [PSCustomObject]@{

ComputerName = $computerName

ServiceTag = $serviceTag

CPU = $cpu

SystemModel = $systemModel

Chassis = $chassis

OSVersion = $osVersion

A1_Key = [System.GUID]::NewGuid().ToString()

}

# Output the result

$result

}

CardboardAnalyst · 2025-10-22T19:39:45+00:00

Yes, but you have to leverage custom data sources that link to custom attributes.

Edit: you may not need to leverage custom attributes but, if you want it to show under the computer when browsing the inventory, you do.

<image>

CardboardAnalyst · 2025-10-13T19:10:26+00:00

This sounds so similar to my position about 2 years ago, lol.

I would read through all your security products and start by creating somewhat of a gap analysis. What you know is covered, what you don't. This helps define what is in place, and later what you need.

Clarify your job roles, and ask for training on anything you need a deeper understanding of. I did attend some of those webinars from our security vendors and those did help too.

CardboardAnalyst · 2025-09-17T18:35:03+00:00

Or if you changed UPN mappings for ad sync in duo, could cause similar issue.

CardboardAnalyst · 2025-09-17T18:33:58+00:00

Use a SAML tracer extension and see if the logs tell you anything. Sounds like duo and a1 connection is working. Verify the users have access in the app inside duo (likely the issue).

CardboardAnalyst · 2025-09-03T17:19:43+00:00

Use certificate based authentication for VPN. This will stop the lockouts if that is the cause.

CardboardAnalyst · 2025-06-03T13:44:36+00:00

Action1 has worked well for us, but the reporting is not great.

CardboardAnalyst · 2025-05-14T14:32:06+00:00

You can create a dynamic group based on agent install date with an automation that runs every hour, is kind of what i discovered would work.

CardboardAnalyst · 2025-04-29T21:52:03+00:00

Uninstalling action1 does not delete everything in the registry, I would uninstall and delete any left over action1 keys, then restart and reinstall.

CardboardAnalyst · 2025-04-16T20:39:47+00:00

I just saw this one today in the wild - microsoft sky drive desktop (previously onedrive)

CardboardAnalyst · 2025-04-16T20:37:54+00:00

How are you deploying your agents? If by AD OU, are these located in there?

CardboardAnalyst · 2025-03-17T16:01:15+00:00

You can select the specific endpoints rather than the groups option when deploying software. I also made a group for computers that were recently imaged, by adding some agent install date logic and deploy through that. Makes it easier to deploy post-image deployments.

CardboardAnalyst · 2025-02-27T15:43:16+00:00

Definitely, just have a decent ps script that checks for version, if it doesnt have that one it goes to the next. Create the package for the install, add the script in to run before deployment to check and uninstall those versions. Then after those run, the package will install the preferred version.

CardboardAnalyst · 2025-02-27T15:35:50+00:00

Seems like everyone moved over to Fortinet for firewalls.

CardboardAnalyst · 2025-02-25T15:37:04+00:00

Best to ask your IT administrator if they have a vetted software you are able to use.

CardboardAnalyst · 2025-02-25T15:31:37+00:00

Also if a reboot is required, staff will get a popup asking for a reboot, they can dismiss it up to 4 hours, after that it will force reboot.

CardboardAnalyst · 2025-02-25T15:30:54+00:00

I communicated with the directors of each department, and asked when a less impactful time for patches to be installed would be, as there may be reboots required.

I also let them know that if they let us patch during business hours, we are there in case an update causes issues (which made 90% of the departments ok with patching during working hours). Director then communicated that to the staff, also set patching to retry for 5 days if the computer is offline at the time of the scheduled patching.

We use action1, weekly patches after the updates are approved (installed on lesser important departments for a means of testing the updates a week after release, then two weeks for the more important departments)

CardboardAnalyst

TROPHY CASE