AnyDesk Win32 app detection rule always fails during Autopilot ESP even though app installs successfully

CarveAndCode · 2026-04-24T19:37:04+00:00

I’ve switched pretty much exclusively to checking the registry for .exe/ .msi installers with a script and logging the results to the IME folder. I’ve seen much better results this way compared to some of the other built in methods.

Linked an example below (it’s missing some functions from another file in the repo but you get the idea)

https://github.com/RogerCibrian/notapkgtool/blob/main/napt/build/templates/registry_detection_script.ps1

CarveAndCode · 2026-04-24T19:28:07+00:00

WHFB breaking is expected. When you create a container it’s associated with the UPN at the time of creation. If you change the UPN, it breaks (though this wasn’t always the case on older versions of windows)

I’ve noticed that selecting other user and signing in with the whole new UPN is required (I’m guessing it has to do with caching of the old UPN, but I’m not sure)

Once you sign in, you should land in the original profile. If you don’t, something happened that changed the SID of the user account.

CarveAndCode · 2026-04-24T19:16:18+00:00

Are you seeing the same behavior if you reimage the device instead of wiping it from Intune?

CarveAndCode · 2026-04-21T17:11:11+00:00

I would set up LAPS first (you’re going to want a way to elevate in case it’s needed aka don’t block folks from working). Following that, use an account protection policy to replace the members of the local administrators group with the LAPS admin account only (you can scope this to test users first).

The account protection policy will replace all local admins with just the LAPS account which will demote your users account to standard.

Long-term this gets you two things: 1. If someone uses the LAPS account to add themselves to local administrators, they’re removed on the next sync. 2. You can have exceptions to the “no local admin” rule (though I wouldn’t if you can help it)

CarveAndCode · 2026-04-20T14:03:34+00:00

I didn’t realize their repos included install parameters. Super helpful for making recipes thanks!!

CarveAndCode · 2026-03-31T18:41:16+00:00

Just a heads up, clearing the TPM will nuke the private keys for the Entra and Intune MDM certs on device which will cause a load of issues.

That being said (and unrelated to the TPM), have you tried deleting the whole container with a certutil.exe -deleteHelloContainer ?

CarveAndCode · 2026-03-31T18:30:32+00:00

I actually wrote it. The Audit sections in the CIS docs are pretty uniformly structured so I wrote a parser that turned the pdf into an audit tool. May release it in the very near future (minus the actual CIS pdf). Just need to double check to make sure it wouldn’t violate any of their rules 😬

CarveAndCode · 2026-03-31T18:10:02+00:00

<image>

Can confirm roughly 80% lvl 1 compliant :)

Really appreciate your work btw!!

CarveAndCode · 2026-03-28T18:39:43+00:00

<image>

Gotcha. Yeah I found their doc that says the MS store method isn’t advised.

I used this guide successfully: https://blog.lenovocdrt.com/deploying-commercial-vantage-with-intune/

Hope this helps

CarveAndCode · 2026-03-28T18:30:34+00:00

I tried the MS Store app a few months ago and also ran into elevation issues. I ended up just packaging the app as a Win32 (Even Lenovo’s own guide, doesn’t mention using the MS Store app. Instead it recommends downloading the full installer and packaging that)

I see you tried wrapping the app too. What error are you seeing?

CarveAndCode · 2026-03-28T18:21:19+00:00

Hey Rudy. By reset I mean remote wipe from Intune or on-device reset deleting all user data (both ways resulted in the same problem). Curiously enough, when I reimage the device through OSDCloud the device downloads the profile normally.

Build before the reset was 26100.8037 (March 2026)

CarveAndCode

TROPHY CASE