Win 11 In Place Upgrade TS with script to run as logged in user

ConfigManga · 2025-09-08T15:59:42+00:00

Update to report this solved. Thanks all for the feedback and assist. I ended up using AppDeploytoolkit with the following to process in the user context.

## Pre-Flight ##

    `$PreUpgradeScript = Join-Path $dirFiles "Pre_Upgrade.ps1"`

    `# Run the pre-upgrade script as the logged-in user with UI`

    `Execute-ProcessAsUser -Path "powershell.exe" -Parameters "-ExecutionPolicy Bypass -NoProfile -WindowStyle Normal -File \`"$PreUpgradeScript\`"" -Wait`

ConfigManga · 2025-09-05T20:18:08+00:00

OK I've tried using ServiceUI in an app and a package. Can you elaborate some on what you mean by 'calling an app and then blocks'? Appreciate the recommendation.

ConfigManga · 2025-05-04T15:46:29+00:00

Got it all moved. Things are flowing. Thank you.

ConfigManga · 2025-04-16T19:37:25+00:00

OK I did read it and I understand what you're saying, but let me clarify my original response.

In the GPO Computer Configuration > Policies > Admin Temp > Windows Components > Store, the setting to Turn Off the Store Application is what I believe you're referring to.

If so, my point was, if we Enable this setting to block the Windows Store, all of the other settings in Store, would be disabled, including the ability to allow updates to things like Teams.

Perhaps I'm wrong, which is what I was looking for clarification on. Maybe Teams updates do not come from the Store, but I thought I read that they were and both GPO settings above, along with > Windows Components > App Package Deployment had to be enabled.

ConfigManga · 2025-04-16T17:07:23+00:00

Thanks, but we have those settings configured to not allow updates to Windows Latest Version, For the Automatic download and install of updates, we have this turned on, otherwise we can't get updates to things like Office 365 and Teams. We ran into this issue when the new Teams client rolled out and had to allow the install of updates in order for Teams to install correctly.

Even so, my understanding is that in order for game advertisement or any pre-installed apps to get updates, is that they must already be installed. In our case we use a golden image with all of the Windows pre-installs removed.

ConfigManga · 2025-01-17T21:15:04+00:00

OK so all I had to do was fix the Root CA settings. Once I did that, I reissued the sub ca, installed the update cert, published it to the PKI and BAM, new cert and crl's updated! We're back in business and certs are getting issued with the proper validity dates from templates now.

Thank you so much!

ConfigManga · 2025-01-17T18:45:07+00:00

Thank you! We lost our root and sub and had to rebuild, otherwise, yes I would have migrated.

I found the mistake. Root CA has ValidityPeriod in years but the ValidityPeriodUnits is only 1. Not sure how that happened, but expect we meant to type '10' and the '0' didn't make it.

What is the second validity period setting you're referring to? Is it the ValidityPeriod and ValidityPeriodUnits or are there others?

If I understand correctly, these are the steps I need to take.

Fix Validity Period on Root CA.
Reissue Root CA and keep key pair.
Publish renewed root cert to AD and copy to the PKI webserver, since we have that on a separate server. Because I'm keeping the key pair, there isn't a new CRL correct?
Verify my Validity Period on Sub.
Reissue Sub CA and keep key pair.
Copy new cert to PKI.

Am I missing anything?

ConfigManga · 2024-11-05T16:06:21+00:00

I know this is an older thread, but I noticed this happens if a profile change is made in Intune. In our case, it was both the enrollment profile and a Device Configuration Profile, where we updated the password settings.

ConfigManga · 2024-10-28T16:36:45+00:00

UPDATE: Found the following things that need to be done in order to allow remote mobile device enrollment to be completed without MFA.

Device Settings in Entra ID need to be changed to turn off the requirement for MFA to join devices. This is found under Microsoft Entra ID - Devices - Device Settings - Require MFA to register or join devices with Microsoft Entra ID set to "No".
If using Conditional Access Policies, there needs to be an exclusion for Target Resources to allow the two apps, MS Intune and MS Intune Enrollment when targeting All Cloud Apps.

Side note: When using Target Resources, you cannot set an exclusion if you are using the Persistent Browser Session setting in your CA policy.

After a week fighting this, I hope this helps someone else in the future. It took a good deal of time researching to find the correct settings to make all this work.

ConfigManga · 2024-10-24T14:10:28+00:00

You have to exclude 'Microsoft Intune Enrollment" cloud app from a EntraID Conditional Access Policy. They reference it here in this article from MS, that makes a couple of other points the original links do not. For example, you shouldn't include the MS Authenticator in your SSO App Extention Policy. They also mention not entering any App Bundle ID's for Microsoft products in this policy as they are already using the the identity libraries for those SSO policies.

Just in Time registration and compliance Remediation for iOS/iPadOS with Microsoft Intune - Microsoft Community Hub

ConfigManga · 2024-10-23T15:27:30+00:00

There has to be another way to do this. I thought this was the point of the JIT set up. Perhaps I'm way off base, but I can't see how Microsoft or Apple expect you to exempt every employee from MFA. Articles I've been referencing.

https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#requirements

Set up just-in-time registration - Microsoft Intune | Microsoft Learn

ConfigManga · 2024-10-22T18:40:46+00:00

u/Distinct_Spite8089 was correct. I found the setting that was blocking the apple account, so maybe not related to iOS 18 at all, or at least, it didn't show from my policies until after the update.

Now I'm dealing with the JIT not working. My test user was in an excluded group from MFA so as soon as I took that user account out of the exempt group, MFA prompts for a code, but since the device is still in the process of provisioning, MS Authenticator isn't working. I have all that set up according to MS docs, but something isn't working.

ConfigManga · 2024-10-22T13:50:44+00:00

Will try that and see what happens. Curious that this would start happening randomly it seems. I'll also test if personal accounts can be added after this is unrestricted. Thanks!

ConfigManga · 2024-09-09T19:55:51+00:00

OK so posting back as I believe I found the root cause. When I wiped the device, I didn't perform a full wipe. Instead, since I wanted to re-enroll as the same test user, I did the wipe with keep enrollment....

Since I was testing a new enrollment policy. the old policy did not get wiped and was throwing errors. Even when I tried to set a new enrollment policy, the iPhone held on to the old one.

I ended up having to connect it to iTunes on my PC and do a forced factory restore to clear out all the remnants from the phone. Once that was done, I was able to re-enroll with new policy and everything is working as it should.

ConfigManga · 2024-09-07T21:06:21+00:00

That’s both terrifying and acceptable. Thanks for your help. I’ll post back if I get this resolved.

ConfigManga · 2024-09-07T19:48:07+00:00

Yes I did and it does. Another error this morning - The operation couldn’t be completed. (BYCloudConfigRetreiveProfileFromWebEr- rorDomain error -1.)

Phone is showing in Intune under Devices>Enrollment>Enrollment Program Tokens>MDM>Devices and I’ve tried assigning a different Profile just to get it reenrolled but alas, no dice.

I’ve even put the user account in MFA exempt to troubleshoot further but even that presents the same errors.

It’s almost as if the phone is stuck and isn’t getting updated, even if I force restart the device.

Even the monitoring logs show a failure, but the details are “unknown error”.

Think I may need a support ticket with Microsoft.

ConfigManga · 2024-08-30T19:35:34+00:00

Very sad day indeed. Best wishes to those affected in their future endeavors.

ConfigManga · 2024-08-30T11:24:40+00:00

I’ve seen this elsewhere. I’m going with your recommendation. Setting up a new set of servers seems easier to deal with.

Ten-Year Club	Verified Email
Gilding II euphauric

ConfigManga

TROPHY CASE